Scroll to discover
Watch a Demo
Skip to content

Threat Modeling for Federal Government

Be secure by design, identify and remediate modern cyber threats for your federal organization with an automated, scalable and intuitive threat modeling platform.


Schedule a demo

Why Threat Modeling, and why now? 

Choosing not to threat model is no longer an option. There are multiple mandates and frameworks in place to increase overall cybersecurity. The OMB has mandated that Federal Agencies must follow the NIST SSDF framework when building software. 

The NIST SSDF states that you have to "Produce Well-Secured Software" under task PW.1.1. and that stipulates that you have to do threat modeling. PW.2.1. states that you have to review the software design for compliance. Find full details here

Responding to the Executive Order, the National Institute of Standards and Technology (NIST) published an interagency/internal report NISTIR 8397, Guidelines on Minimum Standards for Developer Verification of Software. The report provides eleven recommendations for software verification techniques, and ‘Threat modeling to look for design-level security issues’ is highlighted as number one. 

How can threat modeling support Federal organizations?

Compliance and Auditing

Supports regulatory and compliance efforts while providing full auditing trails

Recommended by NIST

NIST references it as the first step in their Recommended Minimum Standard for Developer Verification of code

Security Content

Increases security efforts and remediation, with built-in Security Standard such as FedRamp, NIST and Mitre ATT&CK


Informed decision-making, prioritizations and faster implementation

Industry Regulation

NIST Rev 5: Security and Privacy Controls for Information Systems and Organizations 

This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

Read now

Supply Chain Security

Security within the Supply Chain
Threat Modeling the Supply Chain  

Increased cybercrime, complex attacks across entire software and cloud supply chains, more informed and ever-evolving cyber crime organizations keeps businesses under threat. In particular, critical infrastructure is getting targeted to maximize impact and potential damage. Executive Order 14028 establishes that the Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to malicious cyber campaigns and their actors through bold changes and significant investments in cybersecurity.’

Medical Devices Playbook

Medical Devices Playbook
Playbook for Threat Modeling Medical Devices (with the FDA) 

To increase adoption of threat modeling throughout the medical device ecosystem, the United States Food and Drugs Administration (FDA) engaged with the Medical Device Innovation Consortium (MDIC), the MITRE Corporation and Adam Shostack & Associates to conduct threat modeling bootcamps. The resulting playbook discusses best practices for applying modern threat modeling techniques within the medical industry.

View it here

Secure design at scale

Secure Design at Scale

Whether implementing threat modeling from scratch, or scaling-up an existing manual approach, learn how we enable collaboration across security and development teams, and avoidance of costly security design flaws.

Threat Modeling Connect

If you would like additional advice from others experiencing the same challenges, why not head over to Threat Modeling Connect, a global community where threat modeling practitioners collaborate, share, and grow. Here you will find some conversations have already begun regarding secure software best practice.