Skip to main content

TDA-06.2: Threat Modeling

TDA 7 — High Identify

Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.

Control Question: Does the organization perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for?

General (21)
Framework Mapping Values
CIS CSC 8.1 16.2 16.14
CIS CSC 8.1 IG2 16.2
CIS CSC 8.1 IG3 16.2 16.14
CSA IoT SCF 2 SDV-06
GovRAMP Moderate SA-11(02)
GovRAMP High SA-11(02)
ISO/SAE 21434 2021 PM-06-08 RQ-15-02 RQ-15-03 RQ-15-04 RQ-15-05 RQ-15-06 RQ-15-07 RQ-15-08 RQ-15-09 RQ-15-10 RQ-15-11.a RQ-15-11.b RQ-15-11.c RQ-15-12.a RQ-15-12.b RQ-15-12.c RQ-15-12.d RQ-15-12.e RQ-15-13.a RQ-15-13.b RQ-15-13.c RQ-15-13.d RQ-15-14 RQ-15-15 RQ-15-16
NIST AI 600-1 GV-3.2-005
NIST 800-53 R5 (source) SA-11(2) SA-15(8)
NIST 800-161 R1 SA-15(4) SA-15(8)
NIST 800-161 R1 Level 2 SA-15(4)
NIST 800-161 R1 Level 3 SA-15(4) SA-15(8)
NIST 800-218 PW.1 PW.1.1 RV.2.2
NIST CSF 2.0 (source) GV.OC-01 PR.PS-06
OWASP Top 10 2021 A04:2021 A08:2021
SPARTA CM0020
SWIFT CSF 2023 7.4A
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) TDA-06.2
SCF CORE ESP Level 1 Foundational TDA-06.2
SCF CORE ESP Level 2 Critical Infrastructure TDA-06.2
SCF CORE ESP Level 3 Advanced Threats TDA-06.2
US (4)
Framework Mapping Values
US DoD Zero Trust Execution Roadmap 4.1
US DHS CISA SSDAF 1.d
US EO 14028 4e(i)(D)
US - CA CCPA 2025 7123(c)(14)
EMEA (2)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.6.2(69)
EMEA Saudi Arabia IoT CGIoT-1 2024 2-12-1
APAC (2)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1238
APAC New Zealand NZISM 3.6 14.4.6.C.01 14.4.6.C.02 14.4.6.C.03
Americas (1)
Framework Mapping Values
Americas Canada OSFI B-13 2.4.4 3.1.6

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.

Level 2 — Planned & Tracked

Technology Development & Acquisition (TDA) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Development and acquisition management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for technology development and acquisition management.
  • IT/cybersecurity personnel implement secure practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets, data and network(s).
  • Secure development practices mostly conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).
  • Procurement practices require third-party developers of systems, system components or services to follow secure engineering practices.
  • A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data privacy-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.
Level 3 — Well Defined

Technology Development & Acquisition (TDA) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data for technology development and acquisition. o Ensures the Information Assurance Program (IAP) evaluates applicable cybersecurity and data protection controls as part of “business as usual” pre-production testing. o Operates the Cybersecurity Supply Chain Risk Management (C-SCRM) program to identify and mitigate supply chain-related risks and threats.

  • Secure development practices conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).
  • A procurement team, or similar function, ensures that third party development and/ or acquisitions meet, or exceed, the organization's business, cybersecurity and data privacy requirements to have secure and resilient systems, applications, services and processes.
  • A Software Assurance Maturity Model (SAMM) governs a secure development lifecycle for the development of systems, applications and services.
  • Administrative processes exist and technologies are configured to implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings, putting the asset at a greater risk of compromise.
  • An IT Asset Management (ITAM) function, or similar function, categorizes devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
  • A formal Change Management (CM) program help to ensure that no unauthorized changes are made, all changes are documented, services are not disrupted and resources are used efficiently.
  • A Governance, Risk & Compliance (GRC) function, or similar function;
  • A Project Management Office (PMO), or project management function, enables IAP pre-production testing of cybersecurity and data protection controls as part of the organization's established project management processes.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.

Assessment Objectives

  1. TDA-06.2_A01 threat modelling and other secure design techniques are used to ensure that threats to software and solutions are identified and accounted for.

Evidence Requirements

E-TDA-03 Application Security Testing (AST)

Documented evidence of application security testing (e.g., DAST, SAST, fuzzing, etc.).

Technology Design & Acquisition
E-TDA-10 Security Use Case View (SUCV)

Documented evidence of diagrams, with explanatory text, describing various security scenarios in each of the operational and clinical functionality states of the system and how the system addresses each scenario architecturally. [note SUCV is specific to medical device manufacturers]

Technology Design & Acquisition
E-THR-05 Threat Mitigation

Documented evidence of steps taken to mitigate identified threats.

Threat Management

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free