Why Threat Modeling, and why now?
Choosing not to threat model is no longer an option.
In May 2021, The White House and President Biden's administration issued an Executive Order (EO 14028) - Improving The Nation's Cybersecurity - stating that a top priority for the administration would be the prevention, detection, response and investigation of all information systems managed and controlled by all Government Agencies.
To implement the EO 14028, in February 2022, the National Institute of Science and Technology issued the Secure Software Development Framework guidance (currently at revision SSDF 1.1) and related Software Supply Chain Security Guidance. The NIST SSDF states that you have to "Produce Well-Secured Software" under task PW.1.1. and that stipulates that you have to do threat modeling. PW.2.1. states that you have to review the software design for compliance. Find full details here.
Also in May 2022, the Office of Management and Budget (OMB) stated that all Federal Agencies and their relevant software suppliers must demonstrate compliance with SSDF 1.1. Currently OMB is working with all Agencies and Suppliers towards that goal in order to secure their funding.
Other frameworks and standards
NIST Secure Software Development Framework (SSDF) 1.1
Stated specifically within the guidelines under Control Ref SA-8, Section PW.1.1 - that some form of Risk Modeling (including Threat Modeling) must be done to assess the security risk for software and must comply with a variety of standards - including NIST CSF, IEC62443, ASVA, NIST 800-53 and many others.
Cybersecurity Act by Singapore's Cybersecurity Agency
Singapore’s 2018 Cybersecurity Act indirectly makes it a criminal offence not to perform cybersecurity risk assessments which include threat modelling, on computers and systems that have been designated by the Cybersecurity Agency (CSA) as Critical Information Infrastructure (CII).
FDA Playbook for Threat Modeling Medical Devices
To increase adoption of threat modeling throughout the medical device ecosystem, the United States Food and Drugs Administration (FDA) engaged with the Medical Device Innovation Consortium (MDIC), the MITRE Corporation and Adam Shostack & Associates to conduct threat modeling bootcamps. The resulting playbook discusses best practices for applying modern threat modeling techniques.
Mandates and legislation not isolated just to the United States or Europe
Although the USA is arguably leading the way for others to follow, such as Europe, other geographies such as APAC, have passed laws on cybersecurity even before the publicised Executive order in 2021. The Republic of Singapore passed its Cybersecurity Act in March 2018. It indirectly makes it a criminal offence not to perform cybersecurity risk assessments - which include threat modeling.
Security frameworks, standards and mandates aren't just happening at different levels regionally, but they are developed for specific-industry needs too. For example, IEC 81001-5-1:2021 for health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle.
How can IriusRisk threat modeling support regulation efforts?
With IriusRisk's threat modeling tool, all Federal Agencies and relevant suppliers can take immediate action to align their cybersecurity practices with the principles and guidelines outlined in the NIST Cybersecurity Framework - SSDF 1.1. The IriusRisk threat modeling tool can aid software vendors to comply with multiple requirements detailed within NIST’s Secure Software Development Framework (SSDF).
IriusRisk's comprehensive Security Libraries identify vulnerabilities and provide specific recommendations on countermeasures with many of the standards and requirements as specified in SSDF 1.1 PW tasks.
Supports compliance efforts with full audit trails and threat model history
Easy collaboration across teams, geographies and specialisms, to keep key stakeholders informed
Increase security remediation with built-in Security Standards such as FedRamp, NIST and Mitre ATT&CK
Informed decision-making, prioritizations and faster implementation
Security Content Libraries
Ensure your security and standard requirements are met with our comprehensive Content Library for regulatory, industry and operational best practices.
IriusRisk Threat Modeling Tool
Learn more about our product features and see how threat modeling can benefit Developers, Security Champions, CISOs and GRC Specialists.
Forrester Total Economic Impact™ Study
In this study commissioned by IriusRisk, Forrester evaluates the Total Economic Impact™ of our industry-leading automated threat modeling platform for Secure Design. Download your copy to discover how our threat modeling can:
- Return 203% ROI in efficiency over manual modeling
- Save you $5m in software remediation costs
- Save $4m in reporting and compliance
- Reduce time to threat model from 80 hours to only 8 hours