Threat Modeling

Threat modeling is a structured approach to identifying and prioritizing potential threats to your systems by analyzing your architecture, identifying assets worth protecting, enumerating potential attack vectors, and determining which threats pose the greatest risk. Common methodologies include STRIDE, PASTA, and attack trees.

Threat modeling should be performed during system design and updated when the system or threat landscape changes. It provides the analytical foundation for security architecture decisions — helping you focus your defenses on the threats most relevant to your specific environment and data.

Why It Matters

While not a specific CMMC checklist item, threat modeling supports the risk assessment requirements and helps you make informed decisions about where to invest your security resources. Understanding your threats helps you implement controls that actually address your specific risks.

Related Resources

NIST 800-53: SA-11(2)
NIST 800-53: SA-15(4)