Threat Modeling to aid Regulatory Compliance

Identify and remediate modern cyber threats and align to regulatory compliance or security frameworks. Choose IriusRisk's automated and intuitive threat modeling platform.

Why Threat Modeling, and why now?

Choosing not to threat model is no longer an option.

In May 2021, The White House and President Biden's administration issued an Executive Order (EO 14028) - Improving The Nation's Cybersecurity - stating that a top priority for the administration would be the prevention, detection, response and investigation of all information systems managed and controlled by all Government Agencies.

To implement the EO 14028, in February 2022, the National Institute of Science and Technology issued the Secure Software Development Framework guidance (currently at revision SSDF 1.1) and related Software Supply Chain Security Guidance.  The NIST SSDF states that you have to "Produce Well-Secured Software" under task PW.1.1. and that stipulates that you have to do threat modeling. PW.2.1. states that you have to review the software design for compliance. Find full details here.

Also in May 2022, the Office of Management and Budget (OMB) stated that all Federal Agencies and their relevant software suppliers must demonstrate compliance with SSDF 1.1.  Currently OMB is working with all Agencies and Suppliers towards that goal in order to secure their funding.

Other frameworks and standards.

NIST Secure Software Development Framework (SSDF) 1.1

Stated specifically within the guidelines under Control Ref SA-8, Section PW.1.1 - that some form of Risk Modeling (including Threat Modeling) must be done to assess the security risk for software and must comply with a variety of standards - including NIST CSF, IEC62443, ASVA, NIST 800-53 and many others.

Cybersecurity Act by Singapore's Cybersecurity Agency

Singapore’s 2018 Cybersecurity Act indirectly makes it a criminal offence not to perform cybersecurity risk assessments which include threat modelling, on computers and systems that have been designated by the Cybersecurity Agency (CSA) as Critical Information Infrastructure (CII).

FDA Playbook for Threat Modeling Medical Devices

To increase adoption of threat modeling throughout the medical device ecosystem, the United States Food and Drugs Administration (FDA) engaged with the Medical Device Innovation Consortium (MDIC), the MITRE Corporation and Adam Shostack & Associates to conduct threat modeling bootcamps. The resulting playbook discusses best practices for applying modern threat modeling techniques.

Mandates and legislation not isolated just to the United States or Europe.

Although the USA is arguably leading the way for others to follow, such as Europe, other geographies such as APAC, have passed laws on cybersecurity even before the publicised Executive order in 2021. The Republic of Singapore passed its Cybersecurity Act in March 2018. It indirectly makes it a criminal offence not to perform cybersecurity risk assessments - which include threat modeling.

Security frameworks, standards and mandates aren't just happening at different levels regionally, but they are developed for specific-industry needs too. For example, IEC 81001-5-1:2021 for health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle.

How can IriusRisk threat modeling support regulation efforts?

Supports compliance efforts with full audit trails and threat model history
Easy collaboration across teams, geographies and specialisms, to keep key stakeholders informed
Increases security remediation with built-in Security Standards such as FedRamp, NIST and Mitre ATT&CK
Informed decision-making, prioritizations and faster implementation

With IriusRisk's threat modeling tool, all Federal Agencies and relevant suppliers can take immediate action to align their cybersecurity practices with the principles and guidelines outlined in the NIST Cybersecurity Framework - SSDF 1.1.  The IriusRisk threat modeling tool can aid software vendors to comply with multiple requirements detailed within NIST’s Secure Software Development Framework (SSDF).

Our comprehensive Security Libraries identify vulnerabilities and provide specific recommendations on countermeasures with many of the standards and requirements as specified in SSDF 1.1 PW tasks.