publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/threat-modeling
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
451 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Threat Modeling | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Design practices that facilitate secure software development through organization and collaboration "/><link rel="canonical" href="https://security.cms.gov/learn/threat-modeling"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Threat Modeling | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Design practices that facilitate secure software development through organization and collaboration "/><meta property="og:url" content="https://security.cms.gov/learn/threat-modeling"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/threat-modeling/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Threat Modeling | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Design practices that facilitate secure software development through organization and collaboration "/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/threat-modeling/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Threat Modeling</h1><p class="hero__description">Design practices that facilitate secure software development through organization and collaboration </p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">CMS Threat Modeling Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:ThreatModeling@cms.hhs.gov">ThreatModeling@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#cms-threat-modeling</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is Threat Modeling?</h2><p>Threat modeling is a way of thinking about potential risks and vulnerabilities in a system or application to identify and address them proactively. It involves a development team and key stakeholders working together to analyze how an attacker might try to exploit weaknesses in the system, and then determining steps to mitigate those risks.</p><p><em>“Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations.”</em><br>(Ref:&nbsp;<a href="https://owaspsamm.org/model/design/threat-assessment/stream-b/">OWASP SAMM</a>)</p><p>At CMS, we use threat modeling to help identify potential weaknesses that could be exploited by malicious actors. The&nbsp;<strong>CMS Threat Modeling Team&nbsp;</strong>works with Application Development Organizations (ADOs) and system teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows system/business owners, ISSOs, and developers to implement appropriate security measures such as encryption, access controls, or regular software updates to reduce the chances of a successful attack and protect sensitive information.</p></div><section class="callout callout--type-explainer [ flow ] font-size-md radius-lg line-height-sans-5"><h1 class="callout__header text-bold font-sans-lg"><svg class="usa-icon" aria-hidden="true" focusable="false" role="img"><use href="/assets/img/sprite.svg#info_outline"></use></svg>Want to dive into Threat Modeling? </h1><p>Learn more about the process by reading the CMS Threat Modeling Handbook.</p><p><a href="/policy-guidance/threat-modeling-handbook">Take me to the handbook!</a></p></section><div class="text-block text-block--theme-explainer"><h2>What are the benefits of Threat Modeling?</h2><p>At CMS, threat modeling is used to supports CMS system security and continuous monitoring efforts by supporting the following goals:&nbsp;</p><ul><li>Detecting problems early in the software development life cycle (SDLC)</li><li>Identifying system security requirements&nbsp;</li><li>Creating a structured plan to address both system requirements and deficiencies</li><li>Evaluating attacks on CMS systems that teams might not have considered, even security issues unique to your system</li><li>Staying one step ahead of attackers</li><li>Getting inside the minds of threat agents and their motivations, skills, and capabilities&nbsp;</li><li>Serving as a resource for CMS <a href="https://security.cms.gov/learn/penetration-testing">Penetration Testing</a> and <a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp">Contingency Planning</a>&nbsp; activities&nbsp;</li></ul><h2>Getting started with Threat Modeling</h2><p dir="ltr">The&nbsp;<strong>CMS Threat Modeling Team</strong> recommends system teams start the threat modeling process&nbsp;<em>before&nbsp;</em>they complete their required&nbsp;<a href="https://main.d9a0chgmdud85.amplifyapp.com/learn/penetration-testing">Penetration Testing</a> or as part of their&nbsp;<a href="https://main.d9a0chgmdud85.amplifyapp.com/learn/authorization-operate-ato#types-of-authorizations">Ongoing Authorization</a> efforts.&nbsp;</p><p>The&nbsp;<strong>CMS Threat Modeling Team</strong> is ready to help you onboard your system and start your threat model just follow these easy steps to get started:</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Read the Threat Modeling Handbook </h4><div class="margin-top-05 usa-process-list__description"><p>Learn about the process of threat modeling to decide when the right time is to engage with the&nbsp;<strong>CMS Threat Modeling Team&nbsp;</strong>based on your systems current compliance and authorization schedule.</p><p>&nbsp;</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Fill out the Threat Modeling intake form</h4><div class="margin-top-05 usa-process-list__description"><p>Please complete the&nbsp;<a href="https://forms.office.com/g/3jfhwGyHdQ">Threat Modeling Intake Form</a>. The&nbsp;<strong>CMS Threat Modeling Team</strong> will use the answers you provide in this questionnaire to help inform future planning sessions.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Meet with the CMS Threat Modeling Team</h4><div class="margin-top-05 usa-process-list__description"><p>To start things off, facilitators from the&nbsp;<strong>CMS Threat Modeling Team</strong> will meet with the system/business owner, ISSO, and up to 2 senior developers to talk about the process, time commitment, and outputs expected in future threat model sessions. This meeting takes about 30 minutes.</p><p>&nbsp;</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Complete Threat Modeling sessions</h4><div class="margin-top-05 usa-process-list__description"><p>Depending on the complexity of your system or application, you can expect to have two to three threat modeling sessions in total. Each one to two-hour session will focus on walking through a&nbsp;<a href="https://confluenceent.cms.gov/display/CTM/Getting+Started+with+Threat+Modeling#GettingStartedwithThreatModeling-STRIDEThreatModelingMethodology">Data Flow Diagram (DFD)</a>, identifying threats using STRIDE or other methods, and determining mitigations or countermeasures to the identified threats. We will work with you to determine if the recommended mitigations are in place or if they need to be implemented in the near future. We may also help you determine the level of risk to your system based on the potential impact of identified vulnerabilities.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Ongoing Threat Modeling</h4><div class="margin-top-05 usa-process-list__description"><p>Like other cybersecurity practices, threat modeling is most effective as an ongoing process for securing your system. Every application is unique, but we recommend reviewing and updating your threat model(s) at least annually, or as part of your change management process. The&nbsp;<strong>CMS Threat Modeling team</strong> can help you design a schedule that makes the most sense for you and your system.</p></div></li></ol></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/policy-guidance/threat-modeling-handbook">CMS Threat Modeling Handbook</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Information and resources for teams to help them initiate and complete their system threat model</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-cloud-services">CMS Cloud Services</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Platform-As-A-Service with tools, security, and support services designed specifically for CMS</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"threat-modeling\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"threat-modeling\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"threat-modeling\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"threat-modeling\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:T536,\u003ch2\u003e\u003cstrong\u003eWhat is Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThreat modeling is a way of thinking about potential risks and vulnerabilities in a system or application to identify and address them proactively. It involves a development team and key stakeholders working together to analyze how an attacker might try to exploit weaknesses in the system, and then determining steps to mitigate those risks.\u003c/p\u003e\u003cp\u003e\u003cem\u003e“Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations.”\u003c/em\u003e\u003cbr\u003e(Ref:\u0026nbsp;\u003ca href=\"https://owaspsamm.org/model/design/threat-assessment/stream-b/\"\u003eOWASP SAMM\u003c/a\u003e)\u003c/p\u003e\u003cp\u003eAt CMS, we use threat modeling to help identify potential weaknesses that could be exploited by malicious actors. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u0026nbsp;\u003c/strong\u003eworks with Application Development Organizations (ADOs) and system teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows system/business owners, ISSOs, and developers to implement appropriate security measures such as encryption, access controls, or regular software updates to reduce the chances of a successful attack and protect sensitive information.\u003c/p\u003e19:T536,\u003ch2\u003e\u003cstrong\u003eWhat is Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThreat modeling is a way of thinking about potential risks and vulnerabilities in a system or application to identify and address them proactively. It involves a development team and key stakeholders working together to analyze how an attacker might try to exploit weaknesses"])</script><script>self.__next_f.push([1," in the system, and then determining steps to mitigate those risks.\u003c/p\u003e\u003cp\u003e\u003cem\u003e“Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations.”\u003c/em\u003e\u003cbr\u003e(Ref:\u0026nbsp;\u003ca href=\"https://owaspsamm.org/model/design/threat-assessment/stream-b/\"\u003eOWASP SAMM\u003c/a\u003e)\u003c/p\u003e\u003cp\u003eAt CMS, we use threat modeling to help identify potential weaknesses that could be exploited by malicious actors. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u0026nbsp;\u003c/strong\u003eworks with Application Development Organizations (ADOs) and system teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows system/business owners, ISSOs, and developers to implement appropriate security measures such as encryption, access controls, or regular software updates to reduce the chances of a successful attack and protect sensitive information.\u003c/p\u003e1a:T6a4,\u003ch2\u003e\u003cstrong\u003eWhat are the benefits of Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAt CMS, threat modeling is used to supports CMS system security and continuous monitoring efforts by supporting the following goals:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetecting problems early in the software development life cycle (SDLC)\u003c/li\u003e\u003cli\u003eIdentifying system security requirements\u0026nbsp;\u003c/li\u003e\u003cli\u003eCreating a structured plan to address both system requirements and deficiencies\u003c/li\u003e\u003cli\u003eEvaluating attacks on CMS systems that teams might not have considered, even security issues unique to your system\u003c/li\u003e\u003cli\u003eStaying one step ahead of attackers\u003c/li\u003e\u003cli\u003eGetting inside the minds of threat agents and their motivations, skills, and capabilities\u0026nbsp;\u003c/li\u003e\u003cli\u003eServing as a resource for CMS \u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp; activities\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eGetting started with"])</script><script>self.__next_f.push([1," Threat Modeling\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e recommends system teams start the threat modeling process\u0026nbsp;\u003cem\u003ebefore\u0026nbsp;\u003c/em\u003ethey complete their required\u0026nbsp;\u003ca href=\"https://main.d9a0chgmdud85.amplifyapp.com/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e or as part of their\u0026nbsp;\u003ca href=\"https://main.d9a0chgmdud85.amplifyapp.com/learn/authorization-operate-ato#types-of-authorizations\"\u003eOngoing Authorization\u003c/a\u003e efforts.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e is ready to help you onboard your system and start your threat model just follow these easy steps to get started:\u003c/p\u003e1b:T6a4,\u003ch2\u003e\u003cstrong\u003eWhat are the benefits of Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAt CMS, threat modeling is used to supports CMS system security and continuous monitoring efforts by supporting the following goals:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetecting problems early in the software development life cycle (SDLC)\u003c/li\u003e\u003cli\u003eIdentifying system security requirements\u0026nbsp;\u003c/li\u003e\u003cli\u003eCreating a structured plan to address both system requirements and deficiencies\u003c/li\u003e\u003cli\u003eEvaluating attacks on CMS systems that teams might not have considered, even security issues unique to your system\u003c/li\u003e\u003cli\u003eStaying one step ahead of attackers\u003c/li\u003e\u003cli\u003eGetting inside the minds of threat agents and their motivations, skills, and capabilities\u0026nbsp;\u003c/li\u003e\u003cli\u003eServing as a resource for CMS \u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp; activities\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eGetting started with Threat Modeling\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e recommends system teams start the threat modeling process\u0026nbsp;\u003cem\u003ebefore\u0026nbsp;\u003c/em\u003ethey complete their required\u0026nbsp;\u003ca href=\"https://main.d9a0chgmdud85.amplifyapp.com/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e or as part of their\u0026nbsp;\u003c"])</script><script>self.__next_f.push([1,"a href=\"https://main.d9a0chgmdud85.amplifyapp.com/learn/authorization-operate-ato#types-of-authorizations\"\u003eOngoing Authorization\u003c/a\u003e efforts.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e is ready to help you onboard your system and start your threat model just follow these easy steps to get started:\u003c/p\u003e1c:T9889,"])</script><script>self.__next_f.push([1,"\u003cp\u003e\u003cem\u003eDisclaimer: The information and resources in this document are driven directly at and for CMS internal teams and ADOs to help them initiate and complete threat model exercises. While you may be viewing this document as a publicly available resource to anyone, any information excluded as well as context included is meant for CMS-specific audiences.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat is Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThreat Modeling is a proactive, holistic approach of analyzing potential threats and risks in a system or application to identify and address them proactively. It involves analyzing how an attacker might try to exploit weaknesses in the system and then taking steps to mitigate those risks. It enables informed decision-making about application security risks. In addition to producing a model diagram, the process also produces a prioritized list of security improvements to the conception, requirements gathering, design, or implementation of an application.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAt CMS, we use threat modeling\u0026nbsp; to help identify potential weaknesses that could be exploited by malicious actors. The \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e works with System Teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows System/Business Owners, ISSOs, and Developers to implement appropriate security measures such as encryption, access controls, or regular software updates to reduce the chances of a successful attack and to protect sensitive information.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThreat Modeling is typically done with end-phase security testing, can be conducted anytime, but is ideally done early in the design phase of the Software Development Life Cycle (SDLC). Once completed, a threat model can be updated as needed throughout the SDLC, and should be revisited with each new feature or release. This practice promotes identifying and remediating threats, as well as continuously monitoring the effects of internal or external changes.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are the benefits of Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAt CMS, Threat Modeling\u0026nbsp;supports CMS system security and continuous monitoring efforts by supporting the following goals:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eDetecting problems early in the software development life cycle (SDLC)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIdentifying system security requirements\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCreating a structured plan to address both system requirements and deficiencies\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEvaluating attacks on CMS systems teams might not have considered, even security issues unique to your system\u003c/li\u003e\u003cli dir=\"ltr\"\u003eStaying one step ahead of attackers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGetting inside the minds of threat agents and their motivations, skills, and capabilities\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eServing as a resource for CMS\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp; activities\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling\u0026nbsp;frameworks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTeams choosing to participate in Threat Modeling at CMS will have the option to work with the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e during a series of sessions. To successfully complete these sessions, the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp; Team\u003c/strong\u003e will use a number of proven frameworks\u0026nbsp; including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://adam.shostack.org/\"\u003eAdam Shostacks \u003c/a\u003eFour-Question Frame for Threat Modeling\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.microsoft.com/security/blog/2007/09/11/stride-chart/\"\u003eSTRIDE Threat Model\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese methods were chosen by the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e because they are expedient, reliable models that use industry-standard language and provide immediate value to CMS teams. Read on to learn about the specifics of these frameworks.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFour-Question Frame for Threat Modeling\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs your team embarks on its Threat Modeling journey, its important that these four questions remain top-of-mind:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat are we working on?\u003c/li\u003e\u003cli\u003eWhat can go wrong?\u003c/li\u003e\u003cli\u003eWhat are we going to do about it?\u003c/li\u003e\u003cli\u003eDid we do a good enough job?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThese questions form the base of the work that your team and the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will complete together. The questions are actionable, and designed to quickly identify problems and solutions, which is the core purpose of Threat Modeling .\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eThe STRIDE Model\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://www.microsoft.com/security/blog/2007/09/11/stride-chart/\"\u003eSTRIDE\u003c/a\u003e Threat Modeling\u0026nbsp;framework is a systematic approach used to identify and analyze potential security threats and vulnerabilities in software systems. It provides a structured methodology for understanding and addressing security risks during the design and development stages of a system.\u003c/p\u003e\u003cp\u003eThe acronym STRIDE stands for the six types of threats that the framework helps to identify:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eThreat type\u003c/th\u003e\u003cth\u003eProperty Violated\u003c/th\u003e\u003cth\u003eThreat Definition\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eS\u003c/strong\u003epoofing\u003c/td\u003e\u003ctd\u003eAuthentication\u003c/td\u003e\u003ctd\u003ePretending to be something or someone other than yourself\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eT\u003c/strong\u003eampering\u003c/td\u003e\u003ctd\u003eIntegrity\u003c/td\u003e\u003ctd\u003eModifying something on disk, network, memory, or elsewhere\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eR\u003c/strong\u003eepudiation\u003c/td\u003e\u003ctd\u003eNon-Repudiation\u003c/td\u003e\u003ctd\u003eClaiming that you didnt do something or were not responsible; can be honest or false\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eI\u003c/strong\u003enformation Disclosure\u003c/td\u003e\u003ctd\u003eConfidentiality\u003c/td\u003e\u003ctd\u003eProviding information to someone not authorized to access it\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eD\u003c/strong\u003eenial of service\u003c/td\u003e\u003ctd\u003eAvailability\u003c/td\u003e\u003ctd\u003eExhausting resources needed to provide service\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eE\u003c/strong\u003elevation of Privilege\u003c/td\u003e\u003ctd\u003eAuthorization\u003c/td\u003e\u003ctd\u003eAllowing someone to do something they are not authorized to do\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eMore information about using the STRIDE method to complete your Threat Modeling\u0026nbsp;Session can be found in section “How to create your Threat Model ”.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eOther Threat Modeling frameworks\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eApart from the STRIDE Threat Modeling framework, there are several other popular Threat Modeling frameworks commonly used in the field of software security. Here are a few notable ones:\u003c/p\u003e\u003ch4\u003e\u003ca href=\"https://versprite.com/blog/what-is-pasta-threat-modeling/\"\u003e\u003cstrong\u003ePASTA\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Process for Attack Simulation and Threat Analysis)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePASTA is a risk-centric Threat Modeling\u0026nbsp;framework that focuses on the business impact of threats. It involves a seven-step iterative process, including defining the objectives, creating an application profile, identifying threats, assessing vulnerabilities, analyzing risks, defining countermeasures, and validating the results with active vulnerability or penetration testing.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://linddun.org/\"\u003e\u003cstrong\u003eLINDDUN\u003c/strong\u003e\u003c/a\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eLINDDUN threat modeling is a comprehensive approach that extends beyond traditional security threat modeling by focusing explicitly on various aspects of privacy. It is particularly relevant in the development of systems where user data privacy is of utmost importance, such as in applications handling personal or sensitive information. Here's a breakdown of what LINDDUN stands for and how it is applied:\u003c/p\u003e\u003col\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eL\u003c/strong\u003einkability: This aspect evaluates whether an attacker can link two or more items of interest (such as messages, actions, individuals) in a way that the systems design did not intend. The goal is to prevent unauthorized linking of information to protect user privacy.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eI\u003c/strong\u003edentifiability: This examines the risk of identifying a subject (like a user) from the available data. The system should be designed to prevent unauthorized identification of users.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eN\u003c/strong\u003eon-repudiation: This component assesses the possibility that a user cannot deny an action they performed. While non-repudiation is often a security goal, in the context of privacy, it can be undesirable as it might lead to the exposure of a users actions.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eD\u003c/strong\u003eetectability: This refers to the ability of an attacker to determine that an item of interest exists. For privacy protection, certain information should not be detectable by unauthorized parties.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eD\u003c/strong\u003eisclosure of Information: This looks at the risk of exposing information to unauthorized entities. The goal is to ensure that confidential information remains private.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eU\u003c/strong\u003enawareness \u0026amp; Unintervenability: This considers whether users are unaware of the data processing practices, which might impact their privacy. Ensuring that users are informed and consenting to data processing is key to protecting privacy.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eN\u003c/strong\u003eon-compliance: This evaluates the risk of the system not complying with privacy policies and regulations. Ensuring compliance is crucial for legal and ethical reasons..\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003ca href=\"https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html\"\u003e\u003cstrong\u003eMozillas Rapid Risk Assessment (RRA)\u003c/strong\u003e\u003c/a\u003e\u003c/h4\u003e\u003cp\u003eRRA is designed to quickly identify and prioritize security risks in software projects, allowing teams to allocate their resources effectively. It aims to be a lightweight and agile approach to risk assessment.\u003c/p\u003e\u003cp\u003eThese are just a few examples of additional Threat Modeling frameworks. Each framework has its strengths and focuses on different aspects of Threat Modeling, but they all aim to identify and address potential security risks effectively. It may be beneficial for your team to review these frameworks as you start your own threat model.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSupplemental frameworks and tools\u003c/strong\u003e\u003c/h3\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://nvd.nist.gov/vuln-metrics/cvss#:~:text=The%20Common%20Vulnerability%20Scoring%20System,Base%2C%20Temporal%2C%20and%20Environmental.\"\u003e\u003cstrong\u003eCVSS\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Common Vulnerability Scoring System)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eCVSS is a vulnerability severity classification system which identifies metrics around the ease-of-exploitation and privilege levels required to exploit a CVE. It is not a method of threat modeling or tracking risk. It is used to advise on remediation cadence and urgency. Once a threat is identified, its associated vulnerability can receive a CVSS score from Critical, High, Medium, Low, or Informational to guide prioritization.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://attack.mitre.org/matrices/enterprise/\"\u003e\u003cstrong\u003eMITRE ATT\u0026amp;CK\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Adversarys Tactics, Techniques and Common Knowledge)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eATT\u0026amp;CK is not a threat modeling methodology per se but can be used in conjunction with other threat modeling frameworks. ATT\u0026amp;CK is a collection of tactics, techniques, and procedures (TTPs) which enumerate the exploitation and post-exploitation actions threat actors can take against vulnerabilities. Some attacks get CVE classifications but rather this is a repository of steps an adversary can chain together which in their whole create a Kill Chain or successful attack. It is a good tool for referencing attack actions in the same manner across technical and non-technical departments. It can be used with threat modeling once threats have been identified to associate the attack actions with the identified threat. ATT\u0026amp;CK is not a compliance framework.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eMany tools and frameworks exist that support threat modeling activities or which can be mapped to a threat modeling methodology such as STRIDE but these should not be relied upon in isolation from other methods.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling tools\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe tools needed for Threat Modeling can be as simple as using a Whiteboard to brainstorm ideas and a method to record threats and mitigations (paper, a photo of a diagram, etc.). At CMS, the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e uses the following tools to communicate with teams and record ideas and information:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMural (for drawing DFD diagrams)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTeams primarily use \u003ca href=\"https://www.mural.co/\"\u003eMural\u003c/a\u003e as a digital whiteboard for drawing Data Flow Diagrams (DFDs). You can sign up for a Mural space to complete this work by contacting the \u003ca href=\"mailto:cmscollabtools@cms.hhs.gov\"\u003eCMS Cloud Team\u003c/a\u003e (CMS email account required).\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNOTE: \u003c/strong\u003eSome other drawing tools may be alternatively used such as \u003ca href=\"https://app.diagrams.net\"\u003eapp.diagrams.net\u003c/a\u003e (formerly Draw.io), \u003ca href=\"https://www.lucidchart.com/\"\u003eLucidchart\u003c/a\u003e, etc.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Confluence (for recording threats)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTeams use \u003ca href=\"https://confluenceent.cms.gov/display/CTM/\"\u003eConfluence\u003c/a\u003e to fill out their \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Template\u003c/a\u003e in a space that is protected and safe from outside users.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eZoom (for team collaboration)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will use \u003ca href=\"https://cms.zoomgov.com/\"\u003eZoom\u003c/a\u003e to collaborate with other team members on a Threat Model. Threat Modeling sessions are recorded so that all artifacts can be transferred to other systems of record.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eYouTube (for additional training)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour team is encouraged to review the \u003ca href=\"https://www.youtube.com/playlist?list=PLyEaxwXtHzLl_X1RFAjLk1klaa7g_Ab3A\"\u003eCMS CASP Threat Modeling playlist\u003c/a\u003e on CMS YouTube channel before you start your Threat Model.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eAdditional or alternative tools may be added in the future to further help CMS ADO Teams with creating and maintaining Threat Models.\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSupplemental Threat Modeling tools\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs a reference, here are some other threat modeling tools in the industry that may be considered in the future for use at CMS:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFree Tools:\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://www.threatdragon.com/\"\u003e\u003cstrong\u003eOWASP Threat Dragon\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eThe OWASP Threat Dragon is a free, open-source, cross-platform application for creating threat models. Use it to draw threat modeling diagrams and to identify threats for your system. With an emphasis on flexibility and simplicity it is easily accessible for all types of users.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool\"\u003e\u003cstrong\u003eMicrosoft Threat Modeling Tool\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eThe Threat Modeling Tool is a core element of the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. As a result, it greatly reduces the total cost of development. Also, the tool is designed with non-security experts in mind, making threat modeling easier for all developers by providing clear guidance on creating and analyzing threat models.\u003cbr\u003e\u003cstrong\u003eNOTE: \u003c/strong\u003eThe Microsoft Threat Modeling Tool is a desktop-only tool that can be installed on Microsoft operating systems only.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePaid Tools (requires paid / annual license(s) for usage):\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://www.iriusrisk.com/\"\u003e\u003cstrong\u003eIriusRisk\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eIriusRisk is an open Threat Modeling platform that automates and supports creating threat models at design time. The threat model includes recommendations on how to address the risk. IriusRisk then enables the user to manage security risks throughout the rest of the software development lifecycle (SDLC) with best-in-class architectural diagramming and full customization to enable every stakeholder to collaborate.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://threatmodeler.com/\"\u003e\u003cstrong\u003eThreatModeler\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eOur patented technology enables intuitive, automated, collaborative threat modeling and integrates directly into every component of your DevSecOps tool chain, automating the “Sec” in DevSecOps from design to code to cloud at scale. ThreatModelers SaaS platform ensures secure and compliant applications, infrastructure, and cloud assets in design, saving millions in incident response costs, remediation costs and regulatory fines. It is trusted by software, security and cloud architects, engineers, and developers at companies across the world. Founded in 2010, ThreatModeler is headquartered in Jersey City, NJ.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://devici.com/\"\u003e\u003cstrong\u003eDevici\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eWelcome to Devici, where secure design is driven by threat modeling from the inception of every project. Imagine a platform that allows you to integrate security into your software's blueprint. That's the essence of Secure by Design, and we make it attainable for teams of any size. We're not just a threat modeling tool; we're a movement that embraces the craftsmanship required for secure software development. Our name draws inspiration from the genius of Leonardo Da Vinci, who saw the intricate connections between art and science, much like our approach to crafting secure and private software. Just as Da Vinci meticulously studied anatomy, engineering, and more to improve his art, we empower developers and engineers to delve deep into the design of their software, uncovering potential security and privacy threats. We help implement secure by design foundations.\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow to create your Threat Model\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eRead the Threat Modeling Handbook\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eLearn about the process of Threat Modeling to decide when the right time is to engage with the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e based on your systems current compliance and authorization schedule.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFill out the Threat Modeling intake form\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePlease complete the \u003ca href=\"https://forms.office.com/g/3jfhwGyHdQ\"\u003eThreat Modeling\u0026nbsp;Intake Form\u003c/a\u003e. The \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will use the answers you provide in this questionnaire to help inform future planning sessions.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMeet with the CMS Threat Modeling Team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTo start things off, facilitators from the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will meet with the System/Business Owner, ISSO, and up to two Senior Developers to talk about the process, time commitment, and outputs expected in future Threat Model Sessions.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGather system information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour team should gather and document high level system information, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem name\u003c/li\u003e\u003cli\u003eSystem description\u003c/li\u003e\u003cli\u003eTypes or sensitivity of data\u003c/li\u003e\u003cli\u003eScope and external interactions\u003c/li\u003e\u003cli\u003ePrimary workflows (use cases)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis information will help the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e in the initial stages of creating your Threat Model .\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGather existing diagrams\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe team should gather any existing diagrams such as architecture diagrams, sequence diagrams, etc. that would be helpful in understanding the system or application. This will help inform the creation (or update) of a Data Flow Diagram\u0026nbsp; (DFD) during the first whiteboard session.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026nbsp;\u003cstrong\u003eNOTE: \u003c/strong\u003eThe DFD doesnt have to be created before the first Threat Modeling\u0026nbsp;session it can be created together with the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIdentify stakeholders and personas\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore conducting the Threat Model Session, it is important to identify the key stakeholders who will be participating in the creation of the Threat Model . These perspectives/personas are critical to a successful Threat Modeling\u0026nbsp; session. You can use the following table to inform your work to develop these personas:\u0026nbsp;\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePersona\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDeveloper\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSomeone who understands the current application design, and has had the most depth of involvement in the design decisions made to date.\u003c/p\u003e\u003cp\u003eThey were involved in design brainstorming or whiteboarding sessions leading up to this point, when they would typically have been thinking about threats to the design and possible mitigations to include.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBusiness\u003c/td\u003e\u003ctd\u003eSomeone who represents the business outcomes of the workload or feature that is part of the Threat Modeling\u0026nbsp; process. This person should have an intimate understanding of the functional and non-functional requirements of the workload—and their job is to make sure that these requirements arent unduly impacted by any proposed mitigations to address threats.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity\u003c/td\u003e\u003ctd\u003eSomeone who understands application security principles and how they may be applied to designing, building, and testing applications for resilience and protection against security attacks. The purpose of this role is to support the development team in evaluating threats and devising security controls that mitigate the threats.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInfrastructure\u003c/td\u003e\u003ctd\u003eSomeone who understands the physical or virtual components that makeup the underlying infrastructure of the Application. Design decisions are offset by Infrastructure considerations. These should be voiced during the Threat Modeling\u0026nbsp; session, though theres often aspects of \u003cstrong\u003eShared Responsibility Models \u003c/strong\u003ethat may be reflected in the technology used.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eThreat Model Coordinator\u003c/td\u003e\u003ctd\u003eThe Threat Model subject matter expert (SME) should be the most familiar with the Threat Modeling\u0026nbsp; process and discussion moderation methods, and should have a depth of IT security knowledge and experience. Discussion moderation is crucial for the overall exercise process to make sure that the overall objectives of the process are kept on-track, and that the appropriate balance between security and delivery of the customer outcome is maintained.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eDocument current and upcoming work\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis is used to help answer “What are we working on” in terms of change to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the Threat Model Template in Confluence\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e uses Confluence to organize their threat models. Copy the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Template\u003c/a\u003e to your own Confluence space, and record the data collected in the previous steps.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSchedule your Threat Modeling\u0026nbsp; Sessions\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWork with your team to coordinate dates and times, and then reach out to the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e to schedule your Threat Model Sessions. Its up to the team if they prefer to have one session or to break it up into multiple sessions. Breaking up the session (e.g., three sessions, two hours each, one day apart) gives the team the time and space to learn the structure and concepts involved before going into the next session.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePrepare your team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSend a welcome email to everyone who will attend your Threat Modeling\u0026nbsp; Session. Be sure to include the following in your email:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eA link to this \u003ca href=\"https://security.cms.gov/policy-guidance/threat-modeling-handbook\"\u003eThreat Modeling Handbook\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA link to the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/\"\u003eThreat Modeling\u0026nbsp;Confluence Space\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA shared link to your specific Mural Whiteboard (or other drawing tool) for easy viewing\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese shared resources will allow everyone on the team to have access to the information they need to successfully complete the Threat Model .\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIdentify threats using the STRIDE Model\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs a structured method of Threat Modeling, STRIDE is meant to help teams locate threats in a system. It offers a way to organize information so that teams can plan how to mitigate or eliminate the threats. Remember that the acronym STRIDE stands for the six types of threats that the framework helps to identify:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpoofing Identity\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIdentity spoofing occurs when the hacker pretends to be another person, assuming the identity and information in that identity to commit fraud. A very common example of this threat is when an email is sent from a false email address, appearing to be someone else. Typically, these emails request sensitive data. A vulnerable or unaware recipient provides the requested data, and the hacker is then easily able to assume the new identity.\u003c/p\u003e\u003cp\u003eIdentities that are faked can include both human and technical identities. Through spoofing, the hacker can gain access through just one vulnerable identity to then execute a much larger cyber attack.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTampering With Data\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eData tampering occurs when data or information is changed without authorization. Ways that a bad actor can execute tampering could be through changing a configuration file to gain system control, inserting a malicious file, or deleting/modifying a log file.\u003c/p\u003e\u003cp\u003eChange monitoring, also known as file integrity monitoring (FIM), is essential to integrate into your business to identify if and when data tampering occurs. This process critically examines files with a baseline of what a good file looks like. Proper logging and storage are critical to support file monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRepudiation Threats\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRepudiation threats happen when a bad actor performs an illegal or malicious operation in a system and then denies their involvement with the attack. In these attacks, the system lacks the ability to actually trace the malicious activity to identify a hacker.\u003c/p\u003e\u003cp\u003eRepudiation attacks are relatively easy to execute on e-mail systems, as very few systems check outbound mail for validity. Most of these attacks begin as access attacks.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation Disclosure\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eInformation disclosure is also known as information leakage. It happens when an application or website unintentionally reveals data to unauthorized users. This type of threat can affect the process, data flow and data storage in an application. Some examples of information disclosure include unintentional access to source code files via temporary backups, unnecessary exposure of sensitive information such as credit card numbers, and revealing database information in error messages.\u003c/p\u003e\u003cp\u003eThese issues are common, and can arise from internal content that is shared publicly, insecure application configurations, or flawed error responses in the design of the application.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDenial of Service (DoS) attacks restrict an authorized user from accessing resources that they should be able to access. This affects the process, data flow and data storage in an application.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDespite increases in DoS attacks, it does seem that protective tools such as \u003ca href=\"https://www.comparitech.com/net-admin/best-ddos-protection-service/\"\u003eAWS Shield and CloudFlare\u003c/a\u003e continue to be effective.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eElevation of Privileges\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThrough the elevation of privileges, an authorized or unauthorized user in the system can gain access to other information that they are not authorized to see. An example of this attack could be as simple as a missed authorization check, or even elevation through data tampering where the attacker modifies the disk or memory to execute non-authorized commands.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eEvaluate system interactions and elements\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen using the STRIDE method for Threat Modeling\u0026nbsp; to create your DFD, your team can evaluate threats \u003cstrong\u003eper\u003c/strong\u003e \u003cstrong\u003einteraction \u003c/strong\u003eand\u003cstrong\u003e per element\u003c/strong\u003e. To do this, your team will need to analyze the potential risks associated with each interaction and element within your system. Remember that:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eInteractions\u003c/strong\u003e are how different components, modules, users, or external entities communicate with each other. Its important for teams to understand the flow of information, data, or control between these entities.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eElements\u003c/strong\u003e are different components of a system, like databases, APIs, user interfaces, and other network components.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo apply STRIDE to your DFD, your team will complete the following steps to apply the STRIDE method to your Threat Model :\u0026nbsp;\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eApply STRIDE categories to interactions and elements\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eAt the start of your analysis, your team will apply STRIDE\u003cstrong\u003e per interaction\u003c/strong\u003e to determine if there are any threats related to the data flows between components. After completing the interaction analysis, you will then investigate any additional threats further by applying STRIDE to \u003cstrong\u003eany element\u003c/strong\u003e. Any threats that fall outside of interactions and elements should be classified as \u003cstrong\u003eunstructured threats\u003c/strong\u003e.\u003c/p\u003e\u003col start=\"2\"\u003e\u003cli\u003e\u003cstrong\u003eAnalyze threats\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eConsider how each type of threat can manifest and brainstorm potential attack scenarios or vulnerabilities that align with each category\u003cem\u003e. \u003c/em\u003eMany development teams will already have ideas of what issues exist inside their systems. Their first-hand experience should be welcomed into the Threat Model Session. Key questions to ask during your session include: How would you attack the system? What are you (most) concerned about?\u003c/p\u003e\u003col start=\"3\"\u003e\u003cli\u003e\u003cstrong\u003eDetermine threat impact and likelihood\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eEvaluate the potential impact of each identified threat. Consider the consequences in terms of confidentiality, integrity, availability, regulatory compliance, or other relevant factors. Assess the potential damage or harm that can occur if the threat is successfully exploited. Also consider factors such as the level of access required, the complexity of the attack, the presence of mitigating controls, and the motivation and capabilities of potential attackers. Once the initial threat analysis is complete, your team may find that many of the threats are unlikely, low impact, and/or not in the scope of the teams area of responsibility.\u003c/p\u003e\u003col start=\"4\"\u003e\u003cli\u003e\u003cstrong\u003ePrioritize threats and define mitigation strategies\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eReview the remaining threats and work with the team, specifically the ISSO and Business Owner, to identify the major threats. The team then should work on the proposed mitigation plan by identifying team members that are responsible for mitigating the threats, estimate dates of completion, and include this information in the final report for follow-up at a later date (generally 90 days).\u003c/p\u003e\u003col start=\"5\"\u003e\u003cli\u003e\u003cstrong\u003eValidate and refine:\u003c/strong\u003e Review the threat analysis and proposed mitigations with your team regularly. Refine the threat analysis and update the mitigation strategies when changes occur within your system.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eWhat to do following your Threat Model Session(s)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eIn order to answer the question “Did we do a good enough job?”, it is important to review the identified threats, understand the mitigations, determine the risks, and communicate the results with others.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the Threat Model Report\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUsing the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Report Template\u003c/a\u003e, the data gathered from the Threat Model Session is transferred into a shared report or PDF that can be used for a final review with all stakeholders. It provides information from the Threat Model Session, including system information, DFD, identified (possible) threats, and proposed mitigations. Your teams options for post-session reporting include:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAfter a review with stakeholders, the final report should be uploaded to the “Assessments” tab of CMS FISMA Continuous Tracking System (CFACTS) by the systems ISSO.\u003c/li\u003e\u003cli\u003eInstead of a full report, a PDF of the Mural board + Confluence page may be sufficient for use by the CMS ADO Team. In other cases, a formal document may be needed in order to justify a budgetary request to address a vulnerability that will require additional funds.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eSend feedback survey\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCreate a post-session email to all attendees thanking them for their participation and providing a link to the \u003ca href=\"https://cmsgov.typeform.com/tm-feedback\"\u003eThreat Model Session feedback form\u003c/a\u003e. This information will be used by the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e for continuous improvement of the CMS Threat Modeling process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eThreat mitigation follow up\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMitigation follow-up is managed by the application ISSO, but should be completed approximately 90 days after the Threat Model Session. All mitigations should be commented on and updated, then attached with the Threat Model report.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling terms and definitions\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTerm\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDefinition\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eImpact\u003c/td\u003e\u003ctd\u003eA measure of the potential damage caused by a particular threat. Impact and damage can take a variety of forms. A threat may result in damage to physical assets, or may result in obvious financial loss. Indirect loss may also result from an attack and needs to be considered as part of the impact.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eLikelihood\u003c/td\u003e\u003ctd\u003eA measure of the possibility of a threat being carried out. A variety of factors can impact the likelihood of a threat being carried out, including how difficult the implementation of the threat is, and how rewarding it would be to the attacker.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControls\u003c/td\u003e\u003ctd\u003eSafeguards or countermeasures that you put in place in order to avoid, detect, counteract, or minimize potential threats against your information, systems, or other assets.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePreventions\u003c/td\u003e\u003ctd\u003eControls that may completely prevent a particular attack from being possible.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMitigations\u003c/td\u003e\u003ctd\u003eControls that are put in place to reduce either the likelihood or the impact of a threat, while not completely preventing it.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Flow Diagram\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA depiction of how information flows through your system. It shows each place that data is input into or output from each process or subsystem. It includes anywhere that data is stored in the system, either temporarily or long-term.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTrust boundary (in the context of Threat Modeling )\u003c/td\u003e\u003ctd\u003eA location on the Data Flow Diagram\u0026nbsp; where data changes its level of trust. Any place where data is passed between two processes is typically a trust boundary. If your application makes a call to a remote process, or a remote process makes calls to your application, that's a trust boundary. If you read data from a database, there's typically a trust boundary because other processes can modify the data in the database. Any place you accept user input in any form is always a trust boundary\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWorkflows (Use Cases)\u003c/td\u003e\u003ctd\u003eA written description of how users will perform tasks within your system or application. It outlines, from a user's point of view, a system's behavior as it responds to a request. Each workflow is represented as a sequence of simple steps, beginning with a user's goal and ending when that goal is fulfilled.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Name\u003c/td\u003e\u003ctd\u003eFISMA system name that can be found in CFACTS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Description\u003c/td\u003e\u003ctd\u003eHigh level description of the system that can be found in CFACTS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eExternal Entity\u003c/td\u003e\u003ctd\u003eAn outside system or process that sends or receives data to and from the diagrammed system- sources or destinations of information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eProcess\u003c/td\u003e\u003ctd\u003eA procedure that manipulates the data and its flow by taking incoming data, changing it, and producing an output with it.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Store\u003c/td\u003e\u003ctd\u003eHolds information for later use waiting to be processed. Data inputs flow through a process and then through a data store while data outputs flow out of a data store and then through a process.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Flow\u003c/td\u003e\u003ctd\u003eThe path the systems information takes from external entities through processes and data stores.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSpoofing\u003c/td\u003e\u003ctd\u003eThreat action aimed at accessing and use of another users credentials, such as username and password.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTampering\u003c/td\u003e\u003ctd\u003eThreat action intending to maliciously change or modify persistent data, and the alteration of data in transit between two computers over an open network, such as the Internet.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRepudiation\u003c/td\u003e\u003ctd\u003eThreat action aimed at performing prohibited operations in a system that lacks the ability to trace the operations.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation Disclosure\u003c/td\u003e\u003ctd\u003eThreat action intending to read a file that one was not granted access to, or to read data in transit.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDenial of Service (DoS)\u003c/td\u003e\u003ctd\u003eThreat action attempting to deny access to valid users, such as by making a web server temporarily unavailable or unusable.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEscalation of Privileges\u003c/td\u003e\u003ctd\u003eThreat action intending to gain privileged access to resources in order to gain unauthorized access to information or to compromise a system.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTuple\u003c/td\u003e\u003ctd\u003eLooking at a section of a Data Flow Diagram\u0026nbsp; by identifying the source, destination, and data type of the data flow.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling resources\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following are a list of industry resources the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e has identified as helpful for those within the CMS community who want to learn more about Threat Modeling:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://owasp.org/www-community/Threat_Modeling_Process\"\u003eOWASP Threat Modeling\u0026nbsp;Process\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://threatmodelingmanifesto.org\"\u003eThreat Modeling\u0026nbsp;Manifesto\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.threatmodelingmanifesto.org/capabilities/\"\u003eThreat Modeling Capabilities\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://github.com/hysnsec/awesome-threat-modelling\"\u003eAwesome Threat Modeling - curated list of resources\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/\"\u003eAWS - How to Approach Threat Modeling\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.softwaresecured.com/post/stride-threat-modelling\"\u003eSTRIDE Threat Modeling: What You Need To Know\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html\"\u003eMozilla: Rapid Risk Assessment (RRA)\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1d:T9889,"])</script><script>self.__next_f.push([1,"\u003cp\u003e\u003cem\u003eDisclaimer: The information and resources in this document are driven directly at and for CMS internal teams and ADOs to help them initiate and complete threat model exercises. While you may be viewing this document as a publicly available resource to anyone, any information excluded as well as context included is meant for CMS-specific audiences.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat is Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThreat Modeling is a proactive, holistic approach of analyzing potential threats and risks in a system or application to identify and address them proactively. It involves analyzing how an attacker might try to exploit weaknesses in the system and then taking steps to mitigate those risks. It enables informed decision-making about application security risks. In addition to producing a model diagram, the process also produces a prioritized list of security improvements to the conception, requirements gathering, design, or implementation of an application.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAt CMS, we use threat modeling\u0026nbsp; to help identify potential weaknesses that could be exploited by malicious actors. The \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e works with System Teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows System/Business Owners, ISSOs, and Developers to implement appropriate security measures such as encryption, access controls, or regular software updates to reduce the chances of a successful attack and to protect sensitive information.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThreat Modeling is typically done with end-phase security testing, can be conducted anytime, but is ideally done early in the design phase of the Software Development Life Cycle (SDLC). Once completed, a threat model can be updated as needed throughout the SDLC, and should be revisited with each new feature or release. This practice promotes identifying and remediating threats, as well as continuously monitoring the effects of internal or external changes.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are the benefits of Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAt CMS, Threat Modeling\u0026nbsp;supports CMS system security and continuous monitoring efforts by supporting the following goals:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eDetecting problems early in the software development life cycle (SDLC)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIdentifying system security requirements\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCreating a structured plan to address both system requirements and deficiencies\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEvaluating attacks on CMS systems teams might not have considered, even security issues unique to your system\u003c/li\u003e\u003cli dir=\"ltr\"\u003eStaying one step ahead of attackers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGetting inside the minds of threat agents and their motivations, skills, and capabilities\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eServing as a resource for CMS\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp; activities\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling\u0026nbsp;frameworks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTeams choosing to participate in Threat Modeling at CMS will have the option to work with the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e during a series of sessions. To successfully complete these sessions, the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp; Team\u003c/strong\u003e will use a number of proven frameworks\u0026nbsp; including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://adam.shostack.org/\"\u003eAdam Shostacks \u003c/a\u003eFour-Question Frame for Threat Modeling\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.microsoft.com/security/blog/2007/09/11/stride-chart/\"\u003eSTRIDE Threat Model\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese methods were chosen by the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e because they are expedient, reliable models that use industry-standard language and provide immediate value to CMS teams. Read on to learn about the specifics of these frameworks.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFour-Question Frame for Threat Modeling\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs your team embarks on its Threat Modeling journey, its important that these four questions remain top-of-mind:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat are we working on?\u003c/li\u003e\u003cli\u003eWhat can go wrong?\u003c/li\u003e\u003cli\u003eWhat are we going to do about it?\u003c/li\u003e\u003cli\u003eDid we do a good enough job?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThese questions form the base of the work that your team and the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will complete together. The questions are actionable, and designed to quickly identify problems and solutions, which is the core purpose of Threat Modeling .\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eThe STRIDE Model\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://www.microsoft.com/security/blog/2007/09/11/stride-chart/\"\u003eSTRIDE\u003c/a\u003e Threat Modeling\u0026nbsp;framework is a systematic approach used to identify and analyze potential security threats and vulnerabilities in software systems. It provides a structured methodology for understanding and addressing security risks during the design and development stages of a system.\u003c/p\u003e\u003cp\u003eThe acronym STRIDE stands for the six types of threats that the framework helps to identify:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eThreat type\u003c/th\u003e\u003cth\u003eProperty Violated\u003c/th\u003e\u003cth\u003eThreat Definition\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eS\u003c/strong\u003epoofing\u003c/td\u003e\u003ctd\u003eAuthentication\u003c/td\u003e\u003ctd\u003ePretending to be something or someone other than yourself\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eT\u003c/strong\u003eampering\u003c/td\u003e\u003ctd\u003eIntegrity\u003c/td\u003e\u003ctd\u003eModifying something on disk, network, memory, or elsewhere\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eR\u003c/strong\u003eepudiation\u003c/td\u003e\u003ctd\u003eNon-Repudiation\u003c/td\u003e\u003ctd\u003eClaiming that you didnt do something or were not responsible; can be honest or false\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eI\u003c/strong\u003enformation Disclosure\u003c/td\u003e\u003ctd\u003eConfidentiality\u003c/td\u003e\u003ctd\u003eProviding information to someone not authorized to access it\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eD\u003c/strong\u003eenial of service\u003c/td\u003e\u003ctd\u003eAvailability\u003c/td\u003e\u003ctd\u003eExhausting resources needed to provide service\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eE\u003c/strong\u003elevation of Privilege\u003c/td\u003e\u003ctd\u003eAuthorization\u003c/td\u003e\u003ctd\u003eAllowing someone to do something they are not authorized to do\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eMore information about using the STRIDE method to complete your Threat Modeling\u0026nbsp;Session can be found in section “How to create your Threat Model ”.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eOther Threat Modeling frameworks\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eApart from the STRIDE Threat Modeling framework, there are several other popular Threat Modeling frameworks commonly used in the field of software security. Here are a few notable ones:\u003c/p\u003e\u003ch4\u003e\u003ca href=\"https://versprite.com/blog/what-is-pasta-threat-modeling/\"\u003e\u003cstrong\u003ePASTA\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Process for Attack Simulation and Threat Analysis)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePASTA is a risk-centric Threat Modeling\u0026nbsp;framework that focuses on the business impact of threats. It involves a seven-step iterative process, including defining the objectives, creating an application profile, identifying threats, assessing vulnerabilities, analyzing risks, defining countermeasures, and validating the results with active vulnerability or penetration testing.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://linddun.org/\"\u003e\u003cstrong\u003eLINDDUN\u003c/strong\u003e\u003c/a\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eLINDDUN threat modeling is a comprehensive approach that extends beyond traditional security threat modeling by focusing explicitly on various aspects of privacy. It is particularly relevant in the development of systems where user data privacy is of utmost importance, such as in applications handling personal or sensitive information. Here's a breakdown of what LINDDUN stands for and how it is applied:\u003c/p\u003e\u003col\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eL\u003c/strong\u003einkability: This aspect evaluates whether an attacker can link two or more items of interest (such as messages, actions, individuals) in a way that the systems design did not intend. The goal is to prevent unauthorized linking of information to protect user privacy.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eI\u003c/strong\u003edentifiability: This examines the risk of identifying a subject (like a user) from the available data. The system should be designed to prevent unauthorized identification of users.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eN\u003c/strong\u003eon-repudiation: This component assesses the possibility that a user cannot deny an action they performed. While non-repudiation is often a security goal, in the context of privacy, it can be undesirable as it might lead to the exposure of a users actions.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eD\u003c/strong\u003eetectability: This refers to the ability of an attacker to determine that an item of interest exists. For privacy protection, certain information should not be detectable by unauthorized parties.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eD\u003c/strong\u003eisclosure of Information: This looks at the risk of exposing information to unauthorized entities. The goal is to ensure that confidential information remains private.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eU\u003c/strong\u003enawareness \u0026amp; Unintervenability: This considers whether users are unaware of the data processing practices, which might impact their privacy. Ensuring that users are informed and consenting to data processing is key to protecting privacy.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eN\u003c/strong\u003eon-compliance: This evaluates the risk of the system not complying with privacy policies and regulations. Ensuring compliance is crucial for legal and ethical reasons..\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003ca href=\"https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html\"\u003e\u003cstrong\u003eMozillas Rapid Risk Assessment (RRA)\u003c/strong\u003e\u003c/a\u003e\u003c/h4\u003e\u003cp\u003eRRA is designed to quickly identify and prioritize security risks in software projects, allowing teams to allocate their resources effectively. It aims to be a lightweight and agile approach to risk assessment.\u003c/p\u003e\u003cp\u003eThese are just a few examples of additional Threat Modeling frameworks. Each framework has its strengths and focuses on different aspects of Threat Modeling, but they all aim to identify and address potential security risks effectively. It may be beneficial for your team to review these frameworks as you start your own threat model.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSupplemental frameworks and tools\u003c/strong\u003e\u003c/h3\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://nvd.nist.gov/vuln-metrics/cvss#:~:text=The%20Common%20Vulnerability%20Scoring%20System,Base%2C%20Temporal%2C%20and%20Environmental.\"\u003e\u003cstrong\u003eCVSS\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Common Vulnerability Scoring System)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eCVSS is a vulnerability severity classification system which identifies metrics around the ease-of-exploitation and privilege levels required to exploit a CVE. It is not a method of threat modeling or tracking risk. It is used to advise on remediation cadence and urgency. Once a threat is identified, its associated vulnerability can receive a CVSS score from Critical, High, Medium, Low, or Informational to guide prioritization.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://attack.mitre.org/matrices/enterprise/\"\u003e\u003cstrong\u003eMITRE ATT\u0026amp;CK\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Adversarys Tactics, Techniques and Common Knowledge)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eATT\u0026amp;CK is not a threat modeling methodology per se but can be used in conjunction with other threat modeling frameworks. ATT\u0026amp;CK is a collection of tactics, techniques, and procedures (TTPs) which enumerate the exploitation and post-exploitation actions threat actors can take against vulnerabilities. Some attacks get CVE classifications but rather this is a repository of steps an adversary can chain together which in their whole create a Kill Chain or successful attack. It is a good tool for referencing attack actions in the same manner across technical and non-technical departments. It can be used with threat modeling once threats have been identified to associate the attack actions with the identified threat. ATT\u0026amp;CK is not a compliance framework.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eMany tools and frameworks exist that support threat modeling activities or which can be mapped to a threat modeling methodology such as STRIDE but these should not be relied upon in isolation from other methods.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling tools\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe tools needed for Threat Modeling can be as simple as using a Whiteboard to brainstorm ideas and a method to record threats and mitigations (paper, a photo of a diagram, etc.). At CMS, the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e uses the following tools to communicate with teams and record ideas and information:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMural (for drawing DFD diagrams)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTeams primarily use \u003ca href=\"https://www.mural.co/\"\u003eMural\u003c/a\u003e as a digital whiteboard for drawing Data Flow Diagrams (DFDs). You can sign up for a Mural space to complete this work by contacting the \u003ca href=\"mailto:cmscollabtools@cms.hhs.gov\"\u003eCMS Cloud Team\u003c/a\u003e (CMS email account required).\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNOTE: \u003c/strong\u003eSome other drawing tools may be alternatively used such as \u003ca href=\"https://app.diagrams.net\"\u003eapp.diagrams.net\u003c/a\u003e (formerly Draw.io), \u003ca href=\"https://www.lucidchart.com/\"\u003eLucidchart\u003c/a\u003e, etc.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Confluence (for recording threats)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTeams use \u003ca href=\"https://confluenceent.cms.gov/display/CTM/\"\u003eConfluence\u003c/a\u003e to fill out their \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Template\u003c/a\u003e in a space that is protected and safe from outside users.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eZoom (for team collaboration)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will use \u003ca href=\"https://cms.zoomgov.com/\"\u003eZoom\u003c/a\u003e to collaborate with other team members on a Threat Model. Threat Modeling sessions are recorded so that all artifacts can be transferred to other systems of record.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eYouTube (for additional training)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour team is encouraged to review the \u003ca href=\"https://www.youtube.com/playlist?list=PLyEaxwXtHzLl_X1RFAjLk1klaa7g_Ab3A\"\u003eCMS CASP Threat Modeling playlist\u003c/a\u003e on CMS YouTube channel before you start your Threat Model.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eAdditional or alternative tools may be added in the future to further help CMS ADO Teams with creating and maintaining Threat Models.\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSupplemental Threat Modeling tools\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs a reference, here are some other threat modeling tools in the industry that may be considered in the future for use at CMS:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFree Tools:\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://www.threatdragon.com/\"\u003e\u003cstrong\u003eOWASP Threat Dragon\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eThe OWASP Threat Dragon is a free, open-source, cross-platform application for creating threat models. Use it to draw threat modeling diagrams and to identify threats for your system. With an emphasis on flexibility and simplicity it is easily accessible for all types of users.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool\"\u003e\u003cstrong\u003eMicrosoft Threat Modeling Tool\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eThe Threat Modeling Tool is a core element of the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. As a result, it greatly reduces the total cost of development. Also, the tool is designed with non-security experts in mind, making threat modeling easier for all developers by providing clear guidance on creating and analyzing threat models.\u003cbr\u003e\u003cstrong\u003eNOTE: \u003c/strong\u003eThe Microsoft Threat Modeling Tool is a desktop-only tool that can be installed on Microsoft operating systems only.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePaid Tools (requires paid / annual license(s) for usage):\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://www.iriusrisk.com/\"\u003e\u003cstrong\u003eIriusRisk\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eIriusRisk is an open Threat Modeling platform that automates and supports creating threat models at design time. The threat model includes recommendations on how to address the risk. IriusRisk then enables the user to manage security risks throughout the rest of the software development lifecycle (SDLC) with best-in-class architectural diagramming and full customization to enable every stakeholder to collaborate.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://threatmodeler.com/\"\u003e\u003cstrong\u003eThreatModeler\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eOur patented technology enables intuitive, automated, collaborative threat modeling and integrates directly into every component of your DevSecOps tool chain, automating the “Sec” in DevSecOps from design to code to cloud at scale. ThreatModelers SaaS platform ensures secure and compliant applications, infrastructure, and cloud assets in design, saving millions in incident response costs, remediation costs and regulatory fines. It is trusted by software, security and cloud architects, engineers, and developers at companies across the world. Founded in 2010, ThreatModeler is headquartered in Jersey City, NJ.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://devici.com/\"\u003e\u003cstrong\u003eDevici\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eWelcome to Devici, where secure design is driven by threat modeling from the inception of every project. Imagine a platform that allows you to integrate security into your software's blueprint. That's the essence of Secure by Design, and we make it attainable for teams of any size. We're not just a threat modeling tool; we're a movement that embraces the craftsmanship required for secure software development. Our name draws inspiration from the genius of Leonardo Da Vinci, who saw the intricate connections between art and science, much like our approach to crafting secure and private software. Just as Da Vinci meticulously studied anatomy, engineering, and more to improve his art, we empower developers and engineers to delve deep into the design of their software, uncovering potential security and privacy threats. We help implement secure by design foundations.\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow to create your Threat Model\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eRead the Threat Modeling Handbook\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eLearn about the process of Threat Modeling to decide when the right time is to engage with the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e based on your systems current compliance and authorization schedule.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFill out the Threat Modeling intake form\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePlease complete the \u003ca href=\"https://forms.office.com/g/3jfhwGyHdQ\"\u003eThreat Modeling\u0026nbsp;Intake Form\u003c/a\u003e. The \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will use the answers you provide in this questionnaire to help inform future planning sessions.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMeet with the CMS Threat Modeling Team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTo start things off, facilitators from the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will meet with the System/Business Owner, ISSO, and up to two Senior Developers to talk about the process, time commitment, and outputs expected in future Threat Model Sessions.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGather system information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour team should gather and document high level system information, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem name\u003c/li\u003e\u003cli\u003eSystem description\u003c/li\u003e\u003cli\u003eTypes or sensitivity of data\u003c/li\u003e\u003cli\u003eScope and external interactions\u003c/li\u003e\u003cli\u003ePrimary workflows (use cases)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis information will help the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e in the initial stages of creating your Threat Model .\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGather existing diagrams\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe team should gather any existing diagrams such as architecture diagrams, sequence diagrams, etc. that would be helpful in understanding the system or application. This will help inform the creation (or update) of a Data Flow Diagram\u0026nbsp; (DFD) during the first whiteboard session.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026nbsp;\u003cstrong\u003eNOTE: \u003c/strong\u003eThe DFD doesnt have to be created before the first Threat Modeling\u0026nbsp;session it can be created together with the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIdentify stakeholders and personas\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore conducting the Threat Model Session, it is important to identify the key stakeholders who will be participating in the creation of the Threat Model . These perspectives/personas are critical to a successful Threat Modeling\u0026nbsp; session. You can use the following table to inform your work to develop these personas:\u0026nbsp;\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePersona\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDeveloper\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSomeone who understands the current application design, and has had the most depth of involvement in the design decisions made to date.\u003c/p\u003e\u003cp\u003eThey were involved in design brainstorming or whiteboarding sessions leading up to this point, when they would typically have been thinking about threats to the design and possible mitigations to include.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBusiness\u003c/td\u003e\u003ctd\u003eSomeone who represents the business outcomes of the workload or feature that is part of the Threat Modeling\u0026nbsp; process. This person should have an intimate understanding of the functional and non-functional requirements of the workload—and their job is to make sure that these requirements arent unduly impacted by any proposed mitigations to address threats.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity\u003c/td\u003e\u003ctd\u003eSomeone who understands application security principles and how they may be applied to designing, building, and testing applications for resilience and protection against security attacks. The purpose of this role is to support the development team in evaluating threats and devising security controls that mitigate the threats.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInfrastructure\u003c/td\u003e\u003ctd\u003eSomeone who understands the physical or virtual components that makeup the underlying infrastructure of the Application. Design decisions are offset by Infrastructure considerations. These should be voiced during the Threat Modeling\u0026nbsp; session, though theres often aspects of \u003cstrong\u003eShared Responsibility Models \u003c/strong\u003ethat may be reflected in the technology used.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eThreat Model Coordinator\u003c/td\u003e\u003ctd\u003eThe Threat Model subject matter expert (SME) should be the most familiar with the Threat Modeling\u0026nbsp; process and discussion moderation methods, and should have a depth of IT security knowledge and experience. Discussion moderation is crucial for the overall exercise process to make sure that the overall objectives of the process are kept on-track, and that the appropriate balance between security and delivery of the customer outcome is maintained.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eDocument current and upcoming work\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis is used to help answer “What are we working on” in terms of change to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the Threat Model Template in Confluence\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e uses Confluence to organize their threat models. Copy the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Template\u003c/a\u003e to your own Confluence space, and record the data collected in the previous steps.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSchedule your Threat Modeling\u0026nbsp; Sessions\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWork with your team to coordinate dates and times, and then reach out to the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e to schedule your Threat Model Sessions. Its up to the team if they prefer to have one session or to break it up into multiple sessions. Breaking up the session (e.g., three sessions, two hours each, one day apart) gives the team the time and space to learn the structure and concepts involved before going into the next session.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePrepare your team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSend a welcome email to everyone who will attend your Threat Modeling\u0026nbsp; Session. Be sure to include the following in your email:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eA link to this \u003ca href=\"https://security.cms.gov/policy-guidance/threat-modeling-handbook\"\u003eThreat Modeling Handbook\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA link to the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/\"\u003eThreat Modeling\u0026nbsp;Confluence Space\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA shared link to your specific Mural Whiteboard (or other drawing tool) for easy viewing\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese shared resources will allow everyone on the team to have access to the information they need to successfully complete the Threat Model .\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIdentify threats using the STRIDE Model\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs a structured method of Threat Modeling, STRIDE is meant to help teams locate threats in a system. It offers a way to organize information so that teams can plan how to mitigate or eliminate the threats. Remember that the acronym STRIDE stands for the six types of threats that the framework helps to identify:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpoofing Identity\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIdentity spoofing occurs when the hacker pretends to be another person, assuming the identity and information in that identity to commit fraud. A very common example of this threat is when an email is sent from a false email address, appearing to be someone else. Typically, these emails request sensitive data. A vulnerable or unaware recipient provides the requested data, and the hacker is then easily able to assume the new identity.\u003c/p\u003e\u003cp\u003eIdentities that are faked can include both human and technical identities. Through spoofing, the hacker can gain access through just one vulnerable identity to then execute a much larger cyber attack.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTampering With Data\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eData tampering occurs when data or information is changed without authorization. Ways that a bad actor can execute tampering could be through changing a configuration file to gain system control, inserting a malicious file, or deleting/modifying a log file.\u003c/p\u003e\u003cp\u003eChange monitoring, also known as file integrity monitoring (FIM), is essential to integrate into your business to identify if and when data tampering occurs. This process critically examines files with a baseline of what a good file looks like. Proper logging and storage are critical to support file monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRepudiation Threats\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRepudiation threats happen when a bad actor performs an illegal or malicious operation in a system and then denies their involvement with the attack. In these attacks, the system lacks the ability to actually trace the malicious activity to identify a hacker.\u003c/p\u003e\u003cp\u003eRepudiation attacks are relatively easy to execute on e-mail systems, as very few systems check outbound mail for validity. Most of these attacks begin as access attacks.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation Disclosure\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eInformation disclosure is also known as information leakage. It happens when an application or website unintentionally reveals data to unauthorized users. This type of threat can affect the process, data flow and data storage in an application. Some examples of information disclosure include unintentional access to source code files via temporary backups, unnecessary exposure of sensitive information such as credit card numbers, and revealing database information in error messages.\u003c/p\u003e\u003cp\u003eThese issues are common, and can arise from internal content that is shared publicly, insecure application configurations, or flawed error responses in the design of the application.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDenial of Service (DoS) attacks restrict an authorized user from accessing resources that they should be able to access. This affects the process, data flow and data storage in an application.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDespite increases in DoS attacks, it does seem that protective tools such as \u003ca href=\"https://www.comparitech.com/net-admin/best-ddos-protection-service/\"\u003eAWS Shield and CloudFlare\u003c/a\u003e continue to be effective.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eElevation of Privileges\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThrough the elevation of privileges, an authorized or unauthorized user in the system can gain access to other information that they are not authorized to see. An example of this attack could be as simple as a missed authorization check, or even elevation through data tampering where the attacker modifies the disk or memory to execute non-authorized commands.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eEvaluate system interactions and elements\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen using the STRIDE method for Threat Modeling\u0026nbsp; to create your DFD, your team can evaluate threats \u003cstrong\u003eper\u003c/strong\u003e \u003cstrong\u003einteraction \u003c/strong\u003eand\u003cstrong\u003e per element\u003c/strong\u003e. To do this, your team will need to analyze the potential risks associated with each interaction and element within your system. Remember that:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eInteractions\u003c/strong\u003e are how different components, modules, users, or external entities communicate with each other. Its important for teams to understand the flow of information, data, or control between these entities.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eElements\u003c/strong\u003e are different components of a system, like databases, APIs, user interfaces, and other network components.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo apply STRIDE to your DFD, your team will complete the following steps to apply the STRIDE method to your Threat Model :\u0026nbsp;\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eApply STRIDE categories to interactions and elements\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eAt the start of your analysis, your team will apply STRIDE\u003cstrong\u003e per interaction\u003c/strong\u003e to determine if there are any threats related to the data flows between components. After completing the interaction analysis, you will then investigate any additional threats further by applying STRIDE to \u003cstrong\u003eany element\u003c/strong\u003e. Any threats that fall outside of interactions and elements should be classified as \u003cstrong\u003eunstructured threats\u003c/strong\u003e.\u003c/p\u003e\u003col start=\"2\"\u003e\u003cli\u003e\u003cstrong\u003eAnalyze threats\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eConsider how each type of threat can manifest and brainstorm potential attack scenarios or vulnerabilities that align with each category\u003cem\u003e. \u003c/em\u003eMany development teams will already have ideas of what issues exist inside their systems. Their first-hand experience should be welcomed into the Threat Model Session. Key questions to ask during your session include: How would you attack the system? What are you (most) concerned about?\u003c/p\u003e\u003col start=\"3\"\u003e\u003cli\u003e\u003cstrong\u003eDetermine threat impact and likelihood\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eEvaluate the potential impact of each identified threat. Consider the consequences in terms of confidentiality, integrity, availability, regulatory compliance, or other relevant factors. Assess the potential damage or harm that can occur if the threat is successfully exploited. Also consider factors such as the level of access required, the complexity of the attack, the presence of mitigating controls, and the motivation and capabilities of potential attackers. Once the initial threat analysis is complete, your team may find that many of the threats are unlikely, low impact, and/or not in the scope of the teams area of responsibility.\u003c/p\u003e\u003col start=\"4\"\u003e\u003cli\u003e\u003cstrong\u003ePrioritize threats and define mitigation strategies\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eReview the remaining threats and work with the team, specifically the ISSO and Business Owner, to identify the major threats. The team then should work on the proposed mitigation plan by identifying team members that are responsible for mitigating the threats, estimate dates of completion, and include this information in the final report for follow-up at a later date (generally 90 days).\u003c/p\u003e\u003col start=\"5\"\u003e\u003cli\u003e\u003cstrong\u003eValidate and refine:\u003c/strong\u003e Review the threat analysis and proposed mitigations with your team regularly. Refine the threat analysis and update the mitigation strategies when changes occur within your system.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eWhat to do following your Threat Model Session(s)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eIn order to answer the question “Did we do a good enough job?”, it is important to review the identified threats, understand the mitigations, determine the risks, and communicate the results with others.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the Threat Model Report\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUsing the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Report Template\u003c/a\u003e, the data gathered from the Threat Model Session is transferred into a shared report or PDF that can be used for a final review with all stakeholders. It provides information from the Threat Model Session, including system information, DFD, identified (possible) threats, and proposed mitigations. Your teams options for post-session reporting include:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAfter a review with stakeholders, the final report should be uploaded to the “Assessments” tab of CMS FISMA Continuous Tracking System (CFACTS) by the systems ISSO.\u003c/li\u003e\u003cli\u003eInstead of a full report, a PDF of the Mural board + Confluence page may be sufficient for use by the CMS ADO Team. In other cases, a formal document may be needed in order to justify a budgetary request to address a vulnerability that will require additional funds.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eSend feedback survey\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCreate a post-session email to all attendees thanking them for their participation and providing a link to the \u003ca href=\"https://cmsgov.typeform.com/tm-feedback\"\u003eThreat Model Session feedback form\u003c/a\u003e. This information will be used by the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e for continuous improvement of the CMS Threat Modeling process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eThreat mitigation follow up\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMitigation follow-up is managed by the application ISSO, but should be completed approximately 90 days after the Threat Model Session. All mitigations should be commented on and updated, then attached with the Threat Model report.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling terms and definitions\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTerm\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDefinition\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eImpact\u003c/td\u003e\u003ctd\u003eA measure of the potential damage caused by a particular threat. Impact and damage can take a variety of forms. A threat may result in damage to physical assets, or may result in obvious financial loss. Indirect loss may also result from an attack and needs to be considered as part of the impact.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eLikelihood\u003c/td\u003e\u003ctd\u003eA measure of the possibility of a threat being carried out. A variety of factors can impact the likelihood of a threat being carried out, including how difficult the implementation of the threat is, and how rewarding it would be to the attacker.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControls\u003c/td\u003e\u003ctd\u003eSafeguards or countermeasures that you put in place in order to avoid, detect, counteract, or minimize potential threats against your information, systems, or other assets.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePreventions\u003c/td\u003e\u003ctd\u003eControls that may completely prevent a particular attack from being possible.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMitigations\u003c/td\u003e\u003ctd\u003eControls that are put in place to reduce either the likelihood or the impact of a threat, while not completely preventing it.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Flow Diagram\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA depiction of how information flows through your system. It shows each place that data is input into or output from each process or subsystem. It includes anywhere that data is stored in the system, either temporarily or long-term.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTrust boundary (in the context of Threat Modeling )\u003c/td\u003e\u003ctd\u003eA location on the Data Flow Diagram\u0026nbsp; where data changes its level of trust. Any place where data is passed between two processes is typically a trust boundary. If your application makes a call to a remote process, or a remote process makes calls to your application, that's a trust boundary. If you read data from a database, there's typically a trust boundary because other processes can modify the data in the database. Any place you accept user input in any form is always a trust boundary\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWorkflows (Use Cases)\u003c/td\u003e\u003ctd\u003eA written description of how users will perform tasks within your system or application. It outlines, from a user's point of view, a system's behavior as it responds to a request. Each workflow is represented as a sequence of simple steps, beginning with a user's goal and ending when that goal is fulfilled.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Name\u003c/td\u003e\u003ctd\u003eFISMA system name that can be found in CFACTS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Description\u003c/td\u003e\u003ctd\u003eHigh level description of the system that can be found in CFACTS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eExternal Entity\u003c/td\u003e\u003ctd\u003eAn outside system or process that sends or receives data to and from the diagrammed system- sources or destinations of information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eProcess\u003c/td\u003e\u003ctd\u003eA procedure that manipulates the data and its flow by taking incoming data, changing it, and producing an output with it.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Store\u003c/td\u003e\u003ctd\u003eHolds information for later use waiting to be processed. Data inputs flow through a process and then through a data store while data outputs flow out of a data store and then through a process.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Flow\u003c/td\u003e\u003ctd\u003eThe path the systems information takes from external entities through processes and data stores.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSpoofing\u003c/td\u003e\u003ctd\u003eThreat action aimed at accessing and use of another users credentials, such as username and password.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTampering\u003c/td\u003e\u003ctd\u003eThreat action intending to maliciously change or modify persistent data, and the alteration of data in transit between two computers over an open network, such as the Internet.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRepudiation\u003c/td\u003e\u003ctd\u003eThreat action aimed at performing prohibited operations in a system that lacks the ability to trace the operations.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation Disclosure\u003c/td\u003e\u003ctd\u003eThreat action intending to read a file that one was not granted access to, or to read data in transit.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDenial of Service (DoS)\u003c/td\u003e\u003ctd\u003eThreat action attempting to deny access to valid users, such as by making a web server temporarily unavailable or unusable.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEscalation of Privileges\u003c/td\u003e\u003ctd\u003eThreat action intending to gain privileged access to resources in order to gain unauthorized access to information or to compromise a system.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTuple\u003c/td\u003e\u003ctd\u003eLooking at a section of a Data Flow Diagram\u0026nbsp; by identifying the source, destination, and data type of the data flow.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling resources\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following are a list of industry resources the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e has identified as helpful for those within the CMS community who want to learn more about Threat Modeling:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://owasp.org/www-community/Threat_Modeling_Process\"\u003eOWASP Threat Modeling\u0026nbsp;Process\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://threatmodelingmanifesto.org\"\u003eThreat Modeling\u0026nbsp;Manifesto\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.threatmodelingmanifesto.org/capabilities/\"\u003eThreat Modeling Capabilities\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://github.com/hysnsec/awesome-threat-modelling\"\u003eAwesome Threat Modeling - curated list of resources\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/\"\u003eAWS - How to Approach Threat Modeling\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.softwaresecured.com/post/stride-threat-modelling\"\u003eSTRIDE Threat Modeling: What You Need To Know\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html\"\u003eMozilla: Rapid Risk Assessment (RRA)\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1f:{\"self\":\"$20\"}\n23:[\"menu_ui\",\"scheduler\"]\n22:{\"module\":\"$23\"}\n26:[]\n25:{\"available_menus\":\"$26\",\"parent\":\"\"}\n27:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n24:{\"menu_ui\":\"$25\",\"scheduler\":\"$27\"}\n21:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$22\",\"third_party_settings\":\"$24\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1e:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1f\",\"attributes\":\"$21\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/ee0c4536-bc99-4440-92eb-6256599174e5\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"mkania\"}\n28:{\"type\":\"user--user\",\"id\":\"ee0c4536-bc99-4440-92eb-6256599174e5\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2d:{\"self\":\"$2e\"}\n2f:{\"display_name\":\"meg - retired\"}\n2c:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2d\",\"attributes\":\"$2f\"}\n32:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}\n31:{\"self\":\"$32\"}\n34:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n33:{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"de"])</script><script>self.__next_f.push([1,"fault_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$34\"}\n38:{\"drupal_internal__target_id\":\"resource_type\"}\n37:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$38\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n36:{\"data\":\"$37\",\"links\":\"$39\"}\n3e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"}\n3f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}\n3d:{\"related\":\"$3e\",\"self\":\"$3f\"}\n3c:{\"data\":null,\"links\":\"$3d\"}\n46:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n45:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$46\"}\n44:{\"help\":\"$45\"}\n43:{\"links\":\"$44\"}\n42:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$43\"}\n41:[\"$42\"]\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"}\n49:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}\n47:{\"related\":\"$48\",\"self\":\"$49\"}\n40:{\"data\":\"$41\",\"links\":\"$47\"}\n35:{\"vid\":\"$36\",\"revision_user\":\"$3c\",\"parent\":\"$40\"}\n30:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":\"$31\",\"attributes\":\"$33\",\"relationships\":\"$35\"}\n4c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n4b:{\"self\":\"$4c\"}\n4e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4d:{\"drupal_internal__t"])</script><script>self.__next_f.push([1,"id\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4e\"}\n52:{\"drupal_internal__target_id\":\"roles\"}\n51:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$52\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n50:{\"data\":\"$51\",\"links\":\"$53\"}\n58:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n59:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n57:{\"related\":\"$58\",\"self\":\"$59\"}\n56:{\"data\":null,\"links\":\"$57\"}\n60:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$60\"}\n5e:{\"help\":\"$5f\"}\n5d:{\"links\":\"$5e\"}\n5c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5d\"}\n5b:[\"$5c\"]\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n63:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n61:{\"related\":\"$62\",\"self\":\"$63\"}\n5a:{\"data\":\"$5b\",\"links\":\"$61\"}\n4f:{\"vid\":\"$50\",\"revision_user\":\"$56\",\"parent\":\"$5a\"}\n4a:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$4b\",\"attributes\":\"$4d\",\"relationships\":\"$4f\"}\n66:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18"])</script><script>self.__next_f.push([1,"463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n65:{\"self\":\"$66\"}\n68:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n67:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$68\"}\n6c:{\"drupal_internal__target_id\":\"roles\"}\n6b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6c\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6a:{\"data\":\"$6b\",\"links\":\"$6d\"}\n72:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n73:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n71:{\"related\":\"$72\",\"self\":\"$73\"}\n70:{\"data\":null,\"links\":\"$71\"}\n7a:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n79:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$7a\"}\n78:{\"help\":\"$79\"}\n77:{\"links\":\"$78\"}\n76:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$77\"}\n75:[\"$76\"]\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n7b:{\"related\":\"$7c\",\"self\":\"$7d\"}\n74:{\"data\":\"$75\",\"links\":\"$7b\"}\n69:{\"vid\":\"$6a\",\"revision_user\":\"$70\",\"parent\":\"$74\"}\n64:{\"type\":\"taxonomy_term--roles\",\"id\":\"7"])</script><script>self.__next_f.push([1,"a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$65\",\"attributes\":\"$67\",\"relationships\":\"$69\"}\n80:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7f:{\"self\":\"$80\"}\n82:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n81:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$82\"}\n86:{\"drupal_internal__target_id\":\"roles\"}\n85:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$86\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n84:{\"data\":\"$85\",\"links\":\"$87\"}\n8c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n8b:{\"related\":\"$8c\",\"self\":\"$8d\"}\n8a:{\"data\":null,\"links\":\"$8b\"}\n94:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n93:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$94\"}\n92:{\"help\":\"$93\"}\n91:{\"links\":\"$92\"}\n90:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$91\"}\n8f:[\"$90\"]\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n97:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n95:{\"related\":\"$9"])</script><script>self.__next_f.push([1,"6\",\"self\":\"$97\"}\n8e:{\"data\":\"$8f\",\"links\":\"$95\"}\n83:{\"vid\":\"$84\",\"revision_user\":\"$8a\",\"parent\":\"$8e\"}\n7e:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7f\",\"attributes\":\"$81\",\"relationships\":\"$83\"}\n9a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\n99:{\"self\":\"$9a\"}\n9c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n9b:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9c\"}\na0:{\"drupal_internal__target_id\":\"roles\"}\n9f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$a0\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\n9e:{\"data\":\"$9f\",\"links\":\"$a1\"}\na6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\na7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\na5:{\"related\":\"$a6\",\"self\":\"$a7\"}\na4:{\"data\":null,\"links\":\"$a5\"}\nae:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nad:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ae\"}\nac:{\"help\":\"$ad\"}\nab:{\"links\":\"$ac\"}\naa:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$ab\"}\na9:[\"$aa\"]\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nb1:{\"href\":\"https://cybergeek.cms."])</script><script>self.__next_f.push([1,"gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\naf:{\"related\":\"$b0\",\"self\":\"$b1\"}\na8:{\"data\":\"$a9\",\"links\":\"$af\"}\n9d:{\"vid\":\"$9e\",\"revision_user\":\"$a4\",\"parent\":\"$a8\"}\n98:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$99\",\"attributes\":\"$9b\",\"relationships\":\"$9d\"}\nb4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}\nb3:{\"self\":\"$b4\"}\nb6:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb5:{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b6\"}\nba:{\"drupal_internal__target_id\":\"topics\"}\nb9:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$ba\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nb8:{\"data\":\"$b9\",\"links\":\"$bb\"}\nc0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"}\nc1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}\nbf:{\"related\":\"$c0\",\"self\":\"$c1\"}\nbe:{\"data\":null,\"links\":\"$bf\"}\nc8:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc7:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c8\"}\nc6:{\"help\":\"$c7\"}\nc5:{\"links\":\"$c6\"}\nc4:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$c5\"}\nc3:[\"$c4\"]\nca:{\"href\":\"https://cy"])</script><script>self.__next_f.push([1,"bergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"}\ncb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}\nc9:{\"related\":\"$ca\",\"self\":\"$cb\"}\nc2:{\"data\":\"$c3\",\"links\":\"$c9\"}\nb7:{\"vid\":\"$b8\",\"revision_user\":\"$be\",\"parent\":\"$c2\"}\nb2:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":\"$b3\",\"attributes\":\"$b5\",\"relationships\":\"$b7\"}\nce:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5?resourceVersion=id%3A46\"}\ncd:{\"self\":\"$ce\"}\nd0:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncf:{\"drupal_internal__tid\":46,\"drupal_internal__revision_id\":46,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:13+00:00\",\"status\":true,\"name\":\"Security Operations\",\"description\":null,\"weight\":6,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$d0\"}\nd4:{\"drupal_internal__target_id\":\"topics\"}\nd3:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d4\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/vid?resourceVersion=id%3A46\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/vid?resourceVersion=id%3A46\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd2:{\"data\":\"$d3\",\"links\":\"$d5\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/revision_user?resourceVersion=id%3A46\"}\ndb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/revision_user?resourceVersion=id%3A46\"}\nd9:{\"related\":\"$da\",\"self\":\"$db\"}\nd8:{\"data\":null,\"links\":\"$d9\"}\ne2:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ne1:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual"])</script><script>self.__next_f.push([1,"\",\"meta\":\"$e2\"}\ne0:{\"help\":\"$e1\"}\ndf:{\"links\":\"$e0\"}\nde:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$df\"}\ndd:[\"$de\"]\ne4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/parent?resourceVersion=id%3A46\"}\ne5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/parent?resourceVersion=id%3A46\"}\ne3:{\"related\":\"$e4\",\"self\":\"$e5\"}\ndc:{\"data\":\"$dd\",\"links\":\"$e3\"}\nd1:{\"vid\":\"$d2\",\"revision_user\":\"$d8\",\"parent\":\"$dc\"}\ncc:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"links\":\"$cd\",\"attributes\":\"$cf\",\"relationships\":\"$d1\"}\ne8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d?resourceVersion=id%3A17491\"}\ne7:{\"self\":\"$e8\"}\nea:[]\nec:T536,\u003ch2\u003e\u003cstrong\u003eWhat is Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThreat modeling is a way of thinking about potential risks and vulnerabilities in a system or application to identify and address them proactively. It involves a development team and key stakeholders working together to analyze how an attacker might try to exploit weaknesses in the system, and then determining steps to mitigate those risks.\u003c/p\u003e\u003cp\u003e\u003cem\u003e“Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations.”\u003c/em\u003e\u003cbr\u003e(Ref:\u0026nbsp;\u003ca href=\"https://owaspsamm.org/model/design/threat-assessment/stream-b/\"\u003eOWASP SAMM\u003c/a\u003e)\u003c/p\u003e\u003cp\u003eAt CMS, we use threat modeling to help identify potential weaknesses that could be exploited by malicious actors. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u0026nbsp;\u003c/strong\u003eworks with Application Development Organizations (ADOs) and system teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows system/business owners, ISSOs, and developers to implement appropriate security measures such as encryption, access c"])</script><script>self.__next_f.push([1,"ontrols, or regular software updates to reduce the chances of a successful attack and protect sensitive information.\u003c/p\u003eed:T536,\u003ch2\u003e\u003cstrong\u003eWhat is Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThreat modeling is a way of thinking about potential risks and vulnerabilities in a system or application to identify and address them proactively. It involves a development team and key stakeholders working together to analyze how an attacker might try to exploit weaknesses in the system, and then determining steps to mitigate those risks.\u003c/p\u003e\u003cp\u003e\u003cem\u003e“Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations.”\u003c/em\u003e\u003cbr\u003e(Ref:\u0026nbsp;\u003ca href=\"https://owaspsamm.org/model/design/threat-assessment/stream-b/\"\u003eOWASP SAMM\u003c/a\u003e)\u003c/p\u003e\u003cp\u003eAt CMS, we use threat modeling to help identify potential weaknesses that could be exploited by malicious actors. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u0026nbsp;\u003c/strong\u003eworks with Application Development Organizations (ADOs) and system teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows system/business owners, ISSOs, and developers to implement appropriate security measures such as encryption, access controls, or regular software updates to reduce the chances of a successful attack and protect sensitive information.\u003c/p\u003eeb:{\"value\":\"$ec\",\"format\":\"body_text\",\"processed\":\"$ed\"}\ne9:{\"drupal_internal__id\":3306,\"drupal_internal__revision_id\":17491,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:25:55+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$ea\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$eb\"}\nf1:{\"drupal_internal__target_id\":\"page_section\"}\nf0:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$f1\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/json"])</script><script>self.__next_f.push([1,"api/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d/paragraph_type?resourceVersion=id%3A17491\"}\nf4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d/relationships/paragraph_type?resourceVersion=id%3A17491\"}\nf2:{\"related\":\"$f3\",\"self\":\"$f4\"}\nef:{\"data\":\"$f0\",\"links\":\"$f2\"}\nf7:{\"target_revision_id\":17490,\"drupal_internal__target_id\":3307}\nf6:{\"type\":\"paragraph--call_out_box\",\"id\":\"25f6f306-3012-46b5-a0ae-946e0b21d364\",\"meta\":\"$f7\"}\nf9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d/field_specialty_item?resourceVersion=id%3A17491\"}\nfa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d/relationships/field_specialty_item?resourceVersion=id%3A17491\"}\nf8:{\"related\":\"$f9\",\"self\":\"$fa\"}\nf5:{\"data\":\"$f6\",\"links\":\"$f8\"}\nee:{\"paragraph_type\":\"$ef\",\"field_specialty_item\":\"$f5\"}\ne6:{\"type\":\"paragraph--page_section\",\"id\":\"72d40c3c-330d-4194-ad1e-c61c29f5a60d\",\"links\":\"$e7\",\"attributes\":\"$e9\",\"relationships\":\"$ee\"}\nfd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b?resourceVersion=id%3A17498\"}\nfc:{\"self\":\"$fd\"}\nff:[]\n101:T6a4,\u003ch2\u003e\u003cstrong\u003eWhat are the benefits of Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAt CMS, threat modeling is used to supports CMS system security and continuous monitoring efforts by supporting the following goals:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetecting problems early in the software development life cycle (SDLC)\u003c/li\u003e\u003cli\u003eIdentifying system security requirements\u0026nbsp;\u003c/li\u003e\u003cli\u003eCreating a structured plan to address both system requirements and deficiencies\u003c/li\u003e\u003cli\u003eEvaluating attacks on CMS systems that teams might not have considered, even security issues unique to your system\u003c/li\u003e\u003cli\u003eStaying one step ahead of attackers\u003c/li\u003e\u003cli\u003eGetting inside the minds of threat agents and their motivations, skills, and capabilities\u0026nbsp;\u003c/li\u003e\u003cli\u003eServing as a resource for CMS \u003ca href=\"https://security.cms.gov/learn/penetrati"])</script><script>self.__next_f.push([1,"on-testing\"\u003ePenetration Testing\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp; activities\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eGetting started with Threat Modeling\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e recommends system teams start the threat modeling process\u0026nbsp;\u003cem\u003ebefore\u0026nbsp;\u003c/em\u003ethey complete their required\u0026nbsp;\u003ca href=\"https://main.d9a0chgmdud85.amplifyapp.com/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e or as part of their\u0026nbsp;\u003ca href=\"https://main.d9a0chgmdud85.amplifyapp.com/learn/authorization-operate-ato#types-of-authorizations\"\u003eOngoing Authorization\u003c/a\u003e efforts.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e is ready to help you onboard your system and start your threat model just follow these easy steps to get started:\u003c/p\u003e102:T6a4,\u003ch2\u003e\u003cstrong\u003eWhat are the benefits of Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAt CMS, threat modeling is used to supports CMS system security and continuous monitoring efforts by supporting the following goals:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDetecting problems early in the software development life cycle (SDLC)\u003c/li\u003e\u003cli\u003eIdentifying system security requirements\u0026nbsp;\u003c/li\u003e\u003cli\u003eCreating a structured plan to address both system requirements and deficiencies\u003c/li\u003e\u003cli\u003eEvaluating attacks on CMS systems that teams might not have considered, even security issues unique to your system\u003c/li\u003e\u003cli\u003eStaying one step ahead of attackers\u003c/li\u003e\u003cli\u003eGetting inside the minds of threat agents and their motivations, skills, and capabilities\u0026nbsp;\u003c/li\u003e\u003cli\u003eServing as a resource for CMS \u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-6-contingency-planning-cp\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp; activities\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eGetting started with Threat Modeling\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThe\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e recomm"])</script><script>self.__next_f.push([1,"ends system teams start the threat modeling process\u0026nbsp;\u003cem\u003ebefore\u0026nbsp;\u003c/em\u003ethey complete their required\u0026nbsp;\u003ca href=\"https://main.d9a0chgmdud85.amplifyapp.com/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e or as part of their\u0026nbsp;\u003ca href=\"https://main.d9a0chgmdud85.amplifyapp.com/learn/authorization-operate-ato#types-of-authorizations\"\u003eOngoing Authorization\u003c/a\u003e efforts.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e is ready to help you onboard your system and start your threat model just follow these easy steps to get started:\u003c/p\u003e100:{\"value\":\"$101\",\"format\":\"body_text\",\"processed\":\"$102\"}\nfe:{\"drupal_internal__id\":3313,\"drupal_internal__revision_id\":17498,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:33:16+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$ff\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$100\"}\n106:{\"drupal_internal__target_id\":\"page_section\"}\n105:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$106\"}\n108:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b/paragraph_type?resourceVersion=id%3A17498\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b/relationships/paragraph_type?resourceVersion=id%3A17498\"}\n107:{\"related\":\"$108\",\"self\":\"$109\"}\n104:{\"data\":\"$105\",\"links\":\"$107\"}\n10c:{\"target_revision_id\":17497,\"drupal_internal__target_id\":3312}\n10b:{\"type\":\"paragraph--process_list\",\"id\":\"b320f281-cb7a-481f-966a-4d51a53dc8e8\",\"meta\":\"$10c\"}\n10e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b/field_specialty_item?resourceVersion=id%3A17498\"}\n10f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b/relationships/field_specialty_item?resourceVersion=id%3A17498\"}\n10d:{\"related\":\"$10e\",\"self\":\"$10f\"}\n10a:{\"data\":\"$10b\""])</script><script>self.__next_f.push([1,",\"links\":\"$10d\"}\n103:{\"paragraph_type\":\"$104\",\"field_specialty_item\":\"$10a\"}\nfb:{\"type\":\"paragraph--page_section\",\"id\":\"b46cc06c-9584-4143-8dc1-4e95c87edf2b\",\"links\":\"$fc\",\"attributes\":\"$fe\",\"relationships\":\"$103\"}\n112:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/25f6f306-3012-46b5-a0ae-946e0b21d364?resourceVersion=id%3A17490\"}\n111:{\"self\":\"$112\"}\n114:[]\n116:[]\n115:{\"uri\":\"entity:node/1119\",\"title\":\"\",\"options\":\"$116\",\"url\":\"/policy-guidance/threat-modeling-handbook\"}\n117:{\"value\":\"Learn more about the process by reading the CMS Threat Modeling Handbook.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn more about the process by reading the CMS Threat Modeling Handbook.\u003c/p\u003e\\n\"}\n113:{\"drupal_internal__id\":3307,\"drupal_internal__revision_id\":17490,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:32:39+00:00\",\"parent_id\":\"3306\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$114\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":\"$115\",\"field_call_out_link_text\":\"Take me to the handbook!\",\"field_call_out_text\":\"$117\",\"field_header\":\"Want to dive into Threat Modeling? \"}\n11b:{\"drupal_internal__target_id\":\"call_out_box\"}\n11a:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":\"$11b\"}\n11d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/25f6f306-3012-46b5-a0ae-946e0b21d364/paragraph_type?resourceVersion=id%3A17490\"}\n11e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/25f6f306-3012-46b5-a0ae-946e0b21d364/relationships/paragraph_type?resourceVersion=id%3A17490\"}\n11c:{\"related\":\"$11d\",\"self\":\"$11e\"}\n119:{\"data\":\"$11a\",\"links\":\"$11c\"}\n118:{\"paragraph_type\":\"$119\"}\n110:{\"type\":\"paragraph--call_out_box\",\"id\":\"25f6f306-3012-46b5-a0ae-946e0b21d364\",\"links\":\"$111\",\"attributes\":\"$113\",\"relationships\":\"$118\"}\n121:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8?resourceVersion=id%3A17497\"}\n120:{\"self\":\"$1"])</script><script>self.__next_f.push([1,"21\"}\n123:[]\n122:{\"drupal_internal__id\":3312,\"drupal_internal__revision_id\":17497,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:33:43+00:00\",\"parent_id\":\"3313\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$123\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null}\n127:{\"drupal_internal__target_id\":\"process_list\"}\n126:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$127\"}\n129:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8/paragraph_type?resourceVersion=id%3A17497\"}\n12a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8/relationships/paragraph_type?resourceVersion=id%3A17497\"}\n128:{\"related\":\"$129\",\"self\":\"$12a\"}\n125:{\"data\":\"$126\",\"links\":\"$128\"}\n12e:{\"target_revision_id\":17492,\"drupal_internal__target_id\":3308}\n12d:{\"type\":\"paragraph--process_list_item\",\"id\":\"70b61f4c-86e3-4a9f-9ab5-6c3871466b51\",\"meta\":\"$12e\"}\n130:{\"target_revision_id\":17493,\"drupal_internal__target_id\":3309}\n12f:{\"type\":\"paragraph--process_list_item\",\"id\":\"74c18b2f-cb19-43e5-9bf3-7dc782cfce6f\",\"meta\":\"$130\"}\n132:{\"target_revision_id\":17494,\"drupal_internal__target_id\":3310}\n131:{\"type\":\"paragraph--process_list_item\",\"id\":\"4aab4392-1868-4bd1-b6e0-7239f942ddeb\",\"meta\":\"$132\"}\n134:{\"target_revision_id\":17495,\"drupal_internal__target_id\":3311}\n133:{\"type\":\"paragraph--process_list_item\",\"id\":\"8e9bf5b1-29af-427d-ab12-8e7ca165467e\",\"meta\":\"$134\"}\n136:{\"target_revision_id\":17496,\"drupal_internal__target_id\":3486}\n135:{\"type\":\"paragraph--process_list_item\",\"id\":\"7f36d59c-9bdf-40de-a387-9395b6e9d85a\",\"meta\":\"$136\"}\n12c:[\"$12d\",\"$12f\",\"$131\",\"$133\",\"$135\"]\n138:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8/field_process_list_item?resourceVersion=id%3A17497\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4"])</script><script>self.__next_f.push([1,"d51a53dc8e8/relationships/field_process_list_item?resourceVersion=id%3A17497\"}\n137:{\"related\":\"$138\",\"self\":\"$139\"}\n12b:{\"data\":\"$12c\",\"links\":\"$137\"}\n124:{\"paragraph_type\":\"$125\",\"field_process_list_item\":\"$12b\"}\n11f:{\"type\":\"paragraph--process_list\",\"id\":\"b320f281-cb7a-481f-966a-4d51a53dc8e8\",\"links\":\"$120\",\"attributes\":\"$122\",\"relationships\":\"$124\"}\n13c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/70b61f4c-86e3-4a9f-9ab5-6c3871466b51?resourceVersion=id%3A17492\"}\n13b:{\"self\":\"$13c\"}\n13e:[]\n13f:{\"value\":\"\u003cp\u003eLearn about the process of threat modeling to decide when the right time is to engage with the\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u0026nbsp;\u003c/strong\u003ebased on your systems current compliance and authorization schedule.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eLearn about the process of threat modeling to decide when the right time is to engage with the\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u0026nbsp;\u003c/strong\u003ebased on your systems current compliance and authorization schedule.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\"}\n13d:{\"drupal_internal__id\":3308,\"drupal_internal__revision_id\":17492,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:33:43+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$13e\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$13f\",\"field_list_item_title\":\"Read the Threat Modeling Handbook \"}\n143:{\"drupal_internal__target_id\":\"process_list_item\"}\n142:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$143\"}\n145:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/70b61f4c-86e3-4a9f-9ab5-6c3871466b51/paragraph_type?resourceVersion=id%3A17492\"}\n146:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/70b61f4c-86e3-4a9f-9ab5-6c3871466b51/relationships/paragraph_type?resourceVersion=id%3A17492\"}\n144:{\"related\":\"$145\",\"self\":\"$146\"}\n141:{\"data\":\"$142\",\"links\":\"$144\"}\n140:{\"paragraph"])</script><script>self.__next_f.push([1,"_type\":\"$141\"}\n13a:{\"type\":\"paragraph--process_list_item\",\"id\":\"70b61f4c-86e3-4a9f-9ab5-6c3871466b51\",\"links\":\"$13b\",\"attributes\":\"$13d\",\"relationships\":\"$140\"}\n149:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/74c18b2f-cb19-43e5-9bf3-7dc782cfce6f?resourceVersion=id%3A17493\"}\n148:{\"self\":\"$149\"}\n14b:[]\n14c:{\"value\":\"\u003cp\u003ePlease complete the\u0026nbsp;\u003ca href=\\\"https://forms.office.com/g/3jfhwGyHdQ\\\"\u003eThreat Modeling Intake Form\u003c/a\u003e. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will use the answers you provide in this questionnaire to help inform future planning sessions.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003ePlease complete the\u0026nbsp;\u003ca href=\\\"https://forms.office.com/g/3jfhwGyHdQ\\\"\u003eThreat Modeling Intake Form\u003c/a\u003e. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will use the answers you provide in this questionnaire to help inform future planning sessions.\u003c/p\u003e\"}\n14a:{\"drupal_internal__id\":3309,\"drupal_internal__revision_id\":17493,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:34:01+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$14b\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$14c\",\"field_list_item_title\":\"Fill out the Threat Modeling intake form\"}\n150:{\"drupal_internal__target_id\":\"process_list_item\"}\n14f:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$150\"}\n152:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/74c18b2f-cb19-43e5-9bf3-7dc782cfce6f/paragraph_type?resourceVersion=id%3A17493\"}\n153:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/74c18b2f-cb19-43e5-9bf3-7dc782cfce6f/relationships/paragraph_type?resourceVersion=id%3A17493\"}\n151:{\"related\":\"$152\",\"self\":\"$153\"}\n14e:{\"data\":\"$14f\",\"links\":\"$151\"}\n14d:{\"paragraph_type\":\"$14e\"}\n147:{\"type\":\"paragraph--process_list_item\",\"id\":\"74c18b2f-cb19-43e5-9bf3-7dc782cfce6f\",\"links\":\"$148\",\"attributes\":\"$14a\",\"relat"])</script><script>self.__next_f.push([1,"ionships\":\"$14d\"}\n156:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4aab4392-1868-4bd1-b6e0-7239f942ddeb?resourceVersion=id%3A17494\"}\n155:{\"self\":\"$156\"}\n158:[]\n159:{\"value\":\"\u003cp\u003eTo start things off, facilitators from the\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will meet with the system/business owner, ISSO, and up to 2 senior developers to talk about the process, time commitment, and outputs expected in future threat model sessions. This meeting takes about 30 minutes.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eTo start things off, facilitators from the\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will meet with the system/business owner, ISSO, and up to 2 senior developers to talk about the process, time commitment, and outputs expected in future threat model sessions. This meeting takes about 30 minutes.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\"}\n157:{\"drupal_internal__id\":3310,\"drupal_internal__revision_id\":17494,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:34:20+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$158\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$159\",\"field_list_item_title\":\"Meet with the CMS Threat Modeling Team\"}\n15d:{\"drupal_internal__target_id\":\"process_list_item\"}\n15c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$15d\"}\n15f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4aab4392-1868-4bd1-b6e0-7239f942ddeb/paragraph_type?resourceVersion=id%3A17494\"}\n160:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4aab4392-1868-4bd1-b6e0-7239f942ddeb/relationships/paragraph_type?resourceVersion=id%3A17494\"}\n15e:{\"related\":\"$15f\",\"self\":\"$160\"}\n15b:{\"data\":\"$15c\",\"links\":\"$15e\"}\n15a:{\"paragraph_type\":\"$15b\"}\n154:{\"type\":\"paragraph--process_list_item\",\"id\":\"4aab4392-1868-4bd1-b6e0-7239f942ddeb\",\"links\":\"$155\",\"attributes\":\"$157\",\"relationships\":\"$15a\"}\n163:{"])</script><script>self.__next_f.push([1,"\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8e9bf5b1-29af-427d-ab12-8e7ca165467e?resourceVersion=id%3A17495\"}\n162:{\"self\":\"$163\"}\n165:[]\n166:{\"value\":\"\u003cp\u003eDepending on the complexity of your system or application, you can expect to have two to three threat modeling sessions in total. Each one to two-hour session will focus on walking through a\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/display/CTM/Getting+Started+with+Threat+Modeling#GettingStartedwithThreatModeling-STRIDEThreatModelingMethodology\\\"\u003eData Flow Diagram (DFD)\u003c/a\u003e, identifying threats using STRIDE or other methods, and determining mitigations or countermeasures to the identified threats. We will work with you to determine if the recommended mitigations are in place or if they need to be implemented in the near future. We may also help you determine the level of risk to your system based on the potential impact of identified vulnerabilities.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eDepending on the complexity of your system or application, you can expect to have two to three threat modeling sessions in total. Each one to two-hour session will focus on walking through a\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/display/CTM/Getting+Started+with+Threat+Modeling#GettingStartedwithThreatModeling-STRIDEThreatModelingMethodology\\\"\u003eData Flow Diagram (DFD)\u003c/a\u003e, identifying threats using STRIDE or other methods, and determining mitigations or countermeasures to the identified threats. We will work with you to determine if the recommended mitigations are in place or if they need to be implemented in the near future. We may also help you determine the level of risk to your system based on the potential impact of identified vulnerabilities.\u003c/p\u003e\"}\n164:{\"drupal_internal__id\":3311,\"drupal_internal__revision_id\":17495,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:34:39+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$165\",\"default_langcode\":true,\"revisi"])</script><script>self.__next_f.push([1,"on_translation_affected\":true,\"field_list_item_description\":\"$166\",\"field_list_item_title\":\"Complete Threat Modeling sessions\"}\n16a:{\"drupal_internal__target_id\":\"process_list_item\"}\n169:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$16a\"}\n16c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8e9bf5b1-29af-427d-ab12-8e7ca165467e/paragraph_type?resourceVersion=id%3A17495\"}\n16d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8e9bf5b1-29af-427d-ab12-8e7ca165467e/relationships/paragraph_type?resourceVersion=id%3A17495\"}\n16b:{\"related\":\"$16c\",\"self\":\"$16d\"}\n168:{\"data\":\"$169\",\"links\":\"$16b\"}\n167:{\"paragraph_type\":\"$168\"}\n161:{\"type\":\"paragraph--process_list_item\",\"id\":\"8e9bf5b1-29af-427d-ab12-8e7ca165467e\",\"links\":\"$162\",\"attributes\":\"$164\",\"relationships\":\"$167\"}\n170:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7f36d59c-9bdf-40de-a387-9395b6e9d85a?resourceVersion=id%3A17496\"}\n16f:{\"self\":\"$170\"}\n172:[]\n173:{\"value\":\"\u003cp\u003eLike other cybersecurity practices, threat modeling is most effective as an ongoing process for securing your system. Every application is unique, but we recommend reviewing and updating your threat model(s) at least annually, or as part of your change management process. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling team\u003c/strong\u003e can help you design a schedule that makes the most sense for you and your system.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eLike other cybersecurity practices, threat modeling is most effective as an ongoing process for securing your system. Every application is unique, but we recommend reviewing and updating your threat model(s) at least annually, or as part of your change management process. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling team\u003c/strong\u003e can help you design a schedule that makes the most sense for you and your system.\u003c/p\u003e\"}\n171:{\"drupal_internal__id\":3486,\"drupal_internal__revision_id\":17496,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-18T21:16:38+00:0"])</script><script>self.__next_f.push([1,"0\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$172\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$173\",\"field_list_item_title\":\"Ongoing Threat Modeling\"}\n177:{\"drupal_internal__target_id\":\"process_list_item\"}\n176:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$177\"}\n179:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7f36d59c-9bdf-40de-a387-9395b6e9d85a/paragraph_type?resourceVersion=id%3A17496\"}\n17a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7f36d59c-9bdf-40de-a387-9395b6e9d85a/relationships/paragraph_type?resourceVersion=id%3A17496\"}\n178:{\"related\":\"$179\",\"self\":\"$17a\"}\n175:{\"data\":\"$176\",\"links\":\"$178\"}\n174:{\"paragraph_type\":\"$175\"}\n16e:{\"type\":\"paragraph--process_list_item\",\"id\":\"7f36d59c-9bdf-40de-a387-9395b6e9d85a\",\"links\":\"$16f\",\"attributes\":\"$171\",\"relationships\":\"$174\"}\n17d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551?resourceVersion=id%3A17499\"}\n17c:{\"self\":\"$17d\"}\n17f:[]\n17e:{\"drupal_internal__id\":3314,\"drupal_internal__revision_id\":17499,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:35:06+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$17f\",\"default_langcode\":true,\"revision_translation_affected\":true}\n183:{\"drupal_internal__target_id\":\"internal_link\"}\n182:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$183\"}\n185:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551/paragraph_type?resourceVersion=id%3A17499\"}\n186:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551/relationships/paragraph_type?resourceVersion=id%3A17499\"}\n184:{\"related\":\"$185\",\"self\":\"$186\"}\n181:{\"data\":\"$182\",\"links\":\"$184\"}\n189:{\"drupal_interna"])</script><script>self.__next_f.push([1,"l__target_id\":1119}\n188:{\"type\":\"node--library\",\"id\":\"d2252bee-8a5a-4d56-baba-a0ac106cd2cf\",\"meta\":\"$189\"}\n18b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551/field_link?resourceVersion=id%3A17499\"}\n18c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551/relationships/field_link?resourceVersion=id%3A17499\"}\n18a:{\"related\":\"$18b\",\"self\":\"$18c\"}\n187:{\"data\":\"$188\",\"links\":\"$18a\"}\n180:{\"paragraph_type\":\"$181\",\"field_link\":\"$187\"}\n17b:{\"type\":\"paragraph--internal_link\",\"id\":\"362b0424-2e7e-47f8-9515-4e33c749a551\",\"links\":\"$17c\",\"attributes\":\"$17e\",\"relationships\":\"$180\"}\n18f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596?resourceVersion=id%3A17500\"}\n18e:{\"self\":\"$18f\"}\n191:[]\n190:{\"drupal_internal__id\":3315,\"drupal_internal__revision_id\":17500,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:35:12+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$191\",\"default_langcode\":true,\"revision_translation_affected\":true}\n195:{\"drupal_internal__target_id\":\"internal_link\"}\n194:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$195\"}\n197:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596/paragraph_type?resourceVersion=id%3A17500\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596/relationships/paragraph_type?resourceVersion=id%3A17500\"}\n196:{\"related\":\"$197\",\"self\":\"$198\"}\n193:{\"data\":\"$194\",\"links\":\"$196\"}\n19b:{\"drupal_internal__target_id\":246}\n19a:{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"meta\":\"$19b\"}\n19d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596/field_link?resourceVersion=id%3A17500\"}\n19e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_li"])</script><script>self.__next_f.push([1,"nk/de10201a-15bc-4af2-bde0-d2b2f67f3596/relationships/field_link?resourceVersion=id%3A17500\"}\n19c:{\"related\":\"$19d\",\"self\":\"$19e\"}\n199:{\"data\":\"$19a\",\"links\":\"$19c\"}\n192:{\"paragraph_type\":\"$193\",\"field_link\":\"$199\"}\n18d:{\"type\":\"paragraph--internal_link\",\"id\":\"de10201a-15bc-4af2-bde0-d2b2f67f3596\",\"links\":\"$18e\",\"attributes\":\"$190\",\"relationships\":\"$192\"}\n1a1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4?resourceVersion=id%3A17501\"}\n1a0:{\"self\":\"$1a1\"}\n1a3:[]\n1a2:{\"drupal_internal__id\":3316,\"drupal_internal__revision_id\":17501,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:35:22+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$1a3\",\"default_langcode\":true,\"revision_translation_affected\":true}\n1a7:{\"drupal_internal__target_id\":\"internal_link\"}\n1a6:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$1a7\"}\n1a9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4/paragraph_type?resourceVersion=id%3A17501\"}\n1aa:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4/relationships/paragraph_type?resourceVersion=id%3A17501\"}\n1a8:{\"related\":\"$1a9\",\"self\":\"$1aa\"}\n1a5:{\"data\":\"$1a6\",\"links\":\"$1a8\"}\n1ad:{\"drupal_internal__target_id\":771}\n1ac:{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"meta\":\"$1ad\"}\n1af:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4/field_link?resourceVersion=id%3A17501\"}\n1b0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4/relationships/field_link?resourceVersion=id%3A17501\"}\n1ae:{\"related\":\"$1af\",\"self\":\"$1b0\"}\n1ab:{\"data\":\"$1ac\",\"links\":\"$1ae\"}\n1a4:{\"paragraph_type\":\"$1a5\",\"field_link\":\"$1ab\"}\n19f:{\"type\":\"paragraph--internal_link\",\"id\":\"ded08c1c-6476-43b1-a316-7c38a1746aa4\",\"links\":\"$1a0\",\"attribut"])</script><script>self.__next_f.push([1,"es\":\"$1a2\",\"relationships\":\"$1a4\"}\n1b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf?resourceVersion=id%3A6216\"}\n1b2:{\"self\":\"$1b3\"}\n1b5:{\"alias\":\"/policy-guidance/threat-modeling-handbook\",\"pid\":974,\"langcode\":\"en\"}\n1b7:T9889,"])</script><script>self.__next_f.push([1,"\u003cp\u003e\u003cem\u003eDisclaimer: The information and resources in this document are driven directly at and for CMS internal teams and ADOs to help them initiate and complete threat model exercises. While you may be viewing this document as a publicly available resource to anyone, any information excluded as well as context included is meant for CMS-specific audiences.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat is Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThreat Modeling is a proactive, holistic approach of analyzing potential threats and risks in a system or application to identify and address them proactively. It involves analyzing how an attacker might try to exploit weaknesses in the system and then taking steps to mitigate those risks. It enables informed decision-making about application security risks. In addition to producing a model diagram, the process also produces a prioritized list of security improvements to the conception, requirements gathering, design, or implementation of an application.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAt CMS, we use threat modeling\u0026nbsp; to help identify potential weaknesses that could be exploited by malicious actors. The \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e works with System Teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows System/Business Owners, ISSOs, and Developers to implement appropriate security measures such as encryption, access controls, or regular software updates to reduce the chances of a successful attack and to protect sensitive information.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThreat Modeling is typically done with end-phase security testing, can be conducted anytime, but is ideally done early in the design phase of the Software Development Life Cycle (SDLC). Once completed, a threat model can be updated as needed throughout the SDLC, and should be revisited with each new feature or release. This practice promotes identifying and remediating threats, as well as continuously monitoring the effects of internal or external changes.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are the benefits of Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAt CMS, Threat Modeling\u0026nbsp;supports CMS system security and continuous monitoring efforts by supporting the following goals:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eDetecting problems early in the software development life cycle (SDLC)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIdentifying system security requirements\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCreating a structured plan to address both system requirements and deficiencies\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEvaluating attacks on CMS systems teams might not have considered, even security issues unique to your system\u003c/li\u003e\u003cli dir=\"ltr\"\u003eStaying one step ahead of attackers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGetting inside the minds of threat agents and their motivations, skills, and capabilities\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eServing as a resource for CMS\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp; activities\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling\u0026nbsp;frameworks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTeams choosing to participate in Threat Modeling at CMS will have the option to work with the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e during a series of sessions. To successfully complete these sessions, the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp; Team\u003c/strong\u003e will use a number of proven frameworks\u0026nbsp; including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://adam.shostack.org/\"\u003eAdam Shostacks \u003c/a\u003eFour-Question Frame for Threat Modeling\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.microsoft.com/security/blog/2007/09/11/stride-chart/\"\u003eSTRIDE Threat Model\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese methods were chosen by the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e because they are expedient, reliable models that use industry-standard language and provide immediate value to CMS teams. Read on to learn about the specifics of these frameworks.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFour-Question Frame for Threat Modeling\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs your team embarks on its Threat Modeling journey, its important that these four questions remain top-of-mind:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat are we working on?\u003c/li\u003e\u003cli\u003eWhat can go wrong?\u003c/li\u003e\u003cli\u003eWhat are we going to do about it?\u003c/li\u003e\u003cli\u003eDid we do a good enough job?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThese questions form the base of the work that your team and the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will complete together. The questions are actionable, and designed to quickly identify problems and solutions, which is the core purpose of Threat Modeling .\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eThe STRIDE Model\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://www.microsoft.com/security/blog/2007/09/11/stride-chart/\"\u003eSTRIDE\u003c/a\u003e Threat Modeling\u0026nbsp;framework is a systematic approach used to identify and analyze potential security threats and vulnerabilities in software systems. It provides a structured methodology for understanding and addressing security risks during the design and development stages of a system.\u003c/p\u003e\u003cp\u003eThe acronym STRIDE stands for the six types of threats that the framework helps to identify:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eThreat type\u003c/th\u003e\u003cth\u003eProperty Violated\u003c/th\u003e\u003cth\u003eThreat Definition\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eS\u003c/strong\u003epoofing\u003c/td\u003e\u003ctd\u003eAuthentication\u003c/td\u003e\u003ctd\u003ePretending to be something or someone other than yourself\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eT\u003c/strong\u003eampering\u003c/td\u003e\u003ctd\u003eIntegrity\u003c/td\u003e\u003ctd\u003eModifying something on disk, network, memory, or elsewhere\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eR\u003c/strong\u003eepudiation\u003c/td\u003e\u003ctd\u003eNon-Repudiation\u003c/td\u003e\u003ctd\u003eClaiming that you didnt do something or were not responsible; can be honest or false\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eI\u003c/strong\u003enformation Disclosure\u003c/td\u003e\u003ctd\u003eConfidentiality\u003c/td\u003e\u003ctd\u003eProviding information to someone not authorized to access it\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eD\u003c/strong\u003eenial of service\u003c/td\u003e\u003ctd\u003eAvailability\u003c/td\u003e\u003ctd\u003eExhausting resources needed to provide service\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eE\u003c/strong\u003elevation of Privilege\u003c/td\u003e\u003ctd\u003eAuthorization\u003c/td\u003e\u003ctd\u003eAllowing someone to do something they are not authorized to do\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eMore information about using the STRIDE method to complete your Threat Modeling\u0026nbsp;Session can be found in section “How to create your Threat Model ”.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eOther Threat Modeling frameworks\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eApart from the STRIDE Threat Modeling framework, there are several other popular Threat Modeling frameworks commonly used in the field of software security. Here are a few notable ones:\u003c/p\u003e\u003ch4\u003e\u003ca href=\"https://versprite.com/blog/what-is-pasta-threat-modeling/\"\u003e\u003cstrong\u003ePASTA\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Process for Attack Simulation and Threat Analysis)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePASTA is a risk-centric Threat Modeling\u0026nbsp;framework that focuses on the business impact of threats. It involves a seven-step iterative process, including defining the objectives, creating an application profile, identifying threats, assessing vulnerabilities, analyzing risks, defining countermeasures, and validating the results with active vulnerability or penetration testing.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://linddun.org/\"\u003e\u003cstrong\u003eLINDDUN\u003c/strong\u003e\u003c/a\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eLINDDUN threat modeling is a comprehensive approach that extends beyond traditional security threat modeling by focusing explicitly on various aspects of privacy. It is particularly relevant in the development of systems where user data privacy is of utmost importance, such as in applications handling personal or sensitive information. Here's a breakdown of what LINDDUN stands for and how it is applied:\u003c/p\u003e\u003col\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eL\u003c/strong\u003einkability: This aspect evaluates whether an attacker can link two or more items of interest (such as messages, actions, individuals) in a way that the systems design did not intend. The goal is to prevent unauthorized linking of information to protect user privacy.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eI\u003c/strong\u003edentifiability: This examines the risk of identifying a subject (like a user) from the available data. The system should be designed to prevent unauthorized identification of users.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eN\u003c/strong\u003eon-repudiation: This component assesses the possibility that a user cannot deny an action they performed. While non-repudiation is often a security goal, in the context of privacy, it can be undesirable as it might lead to the exposure of a users actions.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eD\u003c/strong\u003eetectability: This refers to the ability of an attacker to determine that an item of interest exists. For privacy protection, certain information should not be detectable by unauthorized parties.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eD\u003c/strong\u003eisclosure of Information: This looks at the risk of exposing information to unauthorized entities. The goal is to ensure that confidential information remains private.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eU\u003c/strong\u003enawareness \u0026amp; Unintervenability: This considers whether users are unaware of the data processing practices, which might impact their privacy. Ensuring that users are informed and consenting to data processing is key to protecting privacy.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eN\u003c/strong\u003eon-compliance: This evaluates the risk of the system not complying with privacy policies and regulations. Ensuring compliance is crucial for legal and ethical reasons..\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003ca href=\"https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html\"\u003e\u003cstrong\u003eMozillas Rapid Risk Assessment (RRA)\u003c/strong\u003e\u003c/a\u003e\u003c/h4\u003e\u003cp\u003eRRA is designed to quickly identify and prioritize security risks in software projects, allowing teams to allocate their resources effectively. It aims to be a lightweight and agile approach to risk assessment.\u003c/p\u003e\u003cp\u003eThese are just a few examples of additional Threat Modeling frameworks. Each framework has its strengths and focuses on different aspects of Threat Modeling, but they all aim to identify and address potential security risks effectively. It may be beneficial for your team to review these frameworks as you start your own threat model.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSupplemental frameworks and tools\u003c/strong\u003e\u003c/h3\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://nvd.nist.gov/vuln-metrics/cvss#:~:text=The%20Common%20Vulnerability%20Scoring%20System,Base%2C%20Temporal%2C%20and%20Environmental.\"\u003e\u003cstrong\u003eCVSS\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Common Vulnerability Scoring System)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eCVSS is a vulnerability severity classification system which identifies metrics around the ease-of-exploitation and privilege levels required to exploit a CVE. It is not a method of threat modeling or tracking risk. It is used to advise on remediation cadence and urgency. Once a threat is identified, its associated vulnerability can receive a CVSS score from Critical, High, Medium, Low, or Informational to guide prioritization.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://attack.mitre.org/matrices/enterprise/\"\u003e\u003cstrong\u003eMITRE ATT\u0026amp;CK\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Adversarys Tactics, Techniques and Common Knowledge)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eATT\u0026amp;CK is not a threat modeling methodology per se but can be used in conjunction with other threat modeling frameworks. ATT\u0026amp;CK is a collection of tactics, techniques, and procedures (TTPs) which enumerate the exploitation and post-exploitation actions threat actors can take against vulnerabilities. Some attacks get CVE classifications but rather this is a repository of steps an adversary can chain together which in their whole create a Kill Chain or successful attack. It is a good tool for referencing attack actions in the same manner across technical and non-technical departments. It can be used with threat modeling once threats have been identified to associate the attack actions with the identified threat. ATT\u0026amp;CK is not a compliance framework.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eMany tools and frameworks exist that support threat modeling activities or which can be mapped to a threat modeling methodology such as STRIDE but these should not be relied upon in isolation from other methods.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling tools\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe tools needed for Threat Modeling can be as simple as using a Whiteboard to brainstorm ideas and a method to record threats and mitigations (paper, a photo of a diagram, etc.). At CMS, the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e uses the following tools to communicate with teams and record ideas and information:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMural (for drawing DFD diagrams)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTeams primarily use \u003ca href=\"https://www.mural.co/\"\u003eMural\u003c/a\u003e as a digital whiteboard for drawing Data Flow Diagrams (DFDs). You can sign up for a Mural space to complete this work by contacting the \u003ca href=\"mailto:cmscollabtools@cms.hhs.gov\"\u003eCMS Cloud Team\u003c/a\u003e (CMS email account required).\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNOTE: \u003c/strong\u003eSome other drawing tools may be alternatively used such as \u003ca href=\"https://app.diagrams.net\"\u003eapp.diagrams.net\u003c/a\u003e (formerly Draw.io), \u003ca href=\"https://www.lucidchart.com/\"\u003eLucidchart\u003c/a\u003e, etc.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Confluence (for recording threats)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTeams use \u003ca href=\"https://confluenceent.cms.gov/display/CTM/\"\u003eConfluence\u003c/a\u003e to fill out their \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Template\u003c/a\u003e in a space that is protected and safe from outside users.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eZoom (for team collaboration)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will use \u003ca href=\"https://cms.zoomgov.com/\"\u003eZoom\u003c/a\u003e to collaborate with other team members on a Threat Model. Threat Modeling sessions are recorded so that all artifacts can be transferred to other systems of record.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eYouTube (for additional training)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour team is encouraged to review the \u003ca href=\"https://www.youtube.com/playlist?list=PLyEaxwXtHzLl_X1RFAjLk1klaa7g_Ab3A\"\u003eCMS CASP Threat Modeling playlist\u003c/a\u003e on CMS YouTube channel before you start your Threat Model.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eAdditional or alternative tools may be added in the future to further help CMS ADO Teams with creating and maintaining Threat Models.\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSupplemental Threat Modeling tools\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs a reference, here are some other threat modeling tools in the industry that may be considered in the future for use at CMS:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFree Tools:\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://www.threatdragon.com/\"\u003e\u003cstrong\u003eOWASP Threat Dragon\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eThe OWASP Threat Dragon is a free, open-source, cross-platform application for creating threat models. Use it to draw threat modeling diagrams and to identify threats for your system. With an emphasis on flexibility and simplicity it is easily accessible for all types of users.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool\"\u003e\u003cstrong\u003eMicrosoft Threat Modeling Tool\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eThe Threat Modeling Tool is a core element of the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. As a result, it greatly reduces the total cost of development. Also, the tool is designed with non-security experts in mind, making threat modeling easier for all developers by providing clear guidance on creating and analyzing threat models.\u003cbr\u003e\u003cstrong\u003eNOTE: \u003c/strong\u003eThe Microsoft Threat Modeling Tool is a desktop-only tool that can be installed on Microsoft operating systems only.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePaid Tools (requires paid / annual license(s) for usage):\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://www.iriusrisk.com/\"\u003e\u003cstrong\u003eIriusRisk\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eIriusRisk is an open Threat Modeling platform that automates and supports creating threat models at design time. The threat model includes recommendations on how to address the risk. IriusRisk then enables the user to manage security risks throughout the rest of the software development lifecycle (SDLC) with best-in-class architectural diagramming and full customization to enable every stakeholder to collaborate.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://threatmodeler.com/\"\u003e\u003cstrong\u003eThreatModeler\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eOur patented technology enables intuitive, automated, collaborative threat modeling and integrates directly into every component of your DevSecOps tool chain, automating the “Sec” in DevSecOps from design to code to cloud at scale. ThreatModelers SaaS platform ensures secure and compliant applications, infrastructure, and cloud assets in design, saving millions in incident response costs, remediation costs and regulatory fines. It is trusted by software, security and cloud architects, engineers, and developers at companies across the world. Founded in 2010, ThreatModeler is headquartered in Jersey City, NJ.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://devici.com/\"\u003e\u003cstrong\u003eDevici\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eWelcome to Devici, where secure design is driven by threat modeling from the inception of every project. Imagine a platform that allows you to integrate security into your software's blueprint. That's the essence of Secure by Design, and we make it attainable for teams of any size. We're not just a threat modeling tool; we're a movement that embraces the craftsmanship required for secure software development. Our name draws inspiration from the genius of Leonardo Da Vinci, who saw the intricate connections between art and science, much like our approach to crafting secure and private software. Just as Da Vinci meticulously studied anatomy, engineering, and more to improve his art, we empower developers and engineers to delve deep into the design of their software, uncovering potential security and privacy threats. We help implement secure by design foundations.\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow to create your Threat Model\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eRead the Threat Modeling Handbook\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eLearn about the process of Threat Modeling to decide when the right time is to engage with the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e based on your systems current compliance and authorization schedule.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFill out the Threat Modeling intake form\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePlease complete the \u003ca href=\"https://forms.office.com/g/3jfhwGyHdQ\"\u003eThreat Modeling\u0026nbsp;Intake Form\u003c/a\u003e. The \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will use the answers you provide in this questionnaire to help inform future planning sessions.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMeet with the CMS Threat Modeling Team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTo start things off, facilitators from the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will meet with the System/Business Owner, ISSO, and up to two Senior Developers to talk about the process, time commitment, and outputs expected in future Threat Model Sessions.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGather system information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour team should gather and document high level system information, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem name\u003c/li\u003e\u003cli\u003eSystem description\u003c/li\u003e\u003cli\u003eTypes or sensitivity of data\u003c/li\u003e\u003cli\u003eScope and external interactions\u003c/li\u003e\u003cli\u003ePrimary workflows (use cases)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis information will help the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e in the initial stages of creating your Threat Model .\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGather existing diagrams\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe team should gather any existing diagrams such as architecture diagrams, sequence diagrams, etc. that would be helpful in understanding the system or application. This will help inform the creation (or update) of a Data Flow Diagram\u0026nbsp; (DFD) during the first whiteboard session.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026nbsp;\u003cstrong\u003eNOTE: \u003c/strong\u003eThe DFD doesnt have to be created before the first Threat Modeling\u0026nbsp;session it can be created together with the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIdentify stakeholders and personas\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore conducting the Threat Model Session, it is important to identify the key stakeholders who will be participating in the creation of the Threat Model . These perspectives/personas are critical to a successful Threat Modeling\u0026nbsp; session. You can use the following table to inform your work to develop these personas:\u0026nbsp;\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePersona\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDeveloper\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSomeone who understands the current application design, and has had the most depth of involvement in the design decisions made to date.\u003c/p\u003e\u003cp\u003eThey were involved in design brainstorming or whiteboarding sessions leading up to this point, when they would typically have been thinking about threats to the design and possible mitigations to include.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBusiness\u003c/td\u003e\u003ctd\u003eSomeone who represents the business outcomes of the workload or feature that is part of the Threat Modeling\u0026nbsp; process. This person should have an intimate understanding of the functional and non-functional requirements of the workload—and their job is to make sure that these requirements arent unduly impacted by any proposed mitigations to address threats.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity\u003c/td\u003e\u003ctd\u003eSomeone who understands application security principles and how they may be applied to designing, building, and testing applications for resilience and protection against security attacks. The purpose of this role is to support the development team in evaluating threats and devising security controls that mitigate the threats.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInfrastructure\u003c/td\u003e\u003ctd\u003eSomeone who understands the physical or virtual components that makeup the underlying infrastructure of the Application. Design decisions are offset by Infrastructure considerations. These should be voiced during the Threat Modeling\u0026nbsp; session, though theres often aspects of \u003cstrong\u003eShared Responsibility Models \u003c/strong\u003ethat may be reflected in the technology used.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eThreat Model Coordinator\u003c/td\u003e\u003ctd\u003eThe Threat Model subject matter expert (SME) should be the most familiar with the Threat Modeling\u0026nbsp; process and discussion moderation methods, and should have a depth of IT security knowledge and experience. Discussion moderation is crucial for the overall exercise process to make sure that the overall objectives of the process are kept on-track, and that the appropriate balance between security and delivery of the customer outcome is maintained.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eDocument current and upcoming work\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis is used to help answer “What are we working on” in terms of change to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the Threat Model Template in Confluence\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e uses Confluence to organize their threat models. Copy the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Template\u003c/a\u003e to your own Confluence space, and record the data collected in the previous steps.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSchedule your Threat Modeling\u0026nbsp; Sessions\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWork with your team to coordinate dates and times, and then reach out to the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e to schedule your Threat Model Sessions. Its up to the team if they prefer to have one session or to break it up into multiple sessions. Breaking up the session (e.g., three sessions, two hours each, one day apart) gives the team the time and space to learn the structure and concepts involved before going into the next session.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePrepare your team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSend a welcome email to everyone who will attend your Threat Modeling\u0026nbsp; Session. Be sure to include the following in your email:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eA link to this \u003ca href=\"https://security.cms.gov/policy-guidance/threat-modeling-handbook\"\u003eThreat Modeling Handbook\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA link to the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/\"\u003eThreat Modeling\u0026nbsp;Confluence Space\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA shared link to your specific Mural Whiteboard (or other drawing tool) for easy viewing\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese shared resources will allow everyone on the team to have access to the information they need to successfully complete the Threat Model .\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIdentify threats using the STRIDE Model\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs a structured method of Threat Modeling, STRIDE is meant to help teams locate threats in a system. It offers a way to organize information so that teams can plan how to mitigate or eliminate the threats. Remember that the acronym STRIDE stands for the six types of threats that the framework helps to identify:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpoofing Identity\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIdentity spoofing occurs when the hacker pretends to be another person, assuming the identity and information in that identity to commit fraud. A very common example of this threat is when an email is sent from a false email address, appearing to be someone else. Typically, these emails request sensitive data. A vulnerable or unaware recipient provides the requested data, and the hacker is then easily able to assume the new identity.\u003c/p\u003e\u003cp\u003eIdentities that are faked can include both human and technical identities. Through spoofing, the hacker can gain access through just one vulnerable identity to then execute a much larger cyber attack.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTampering With Data\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eData tampering occurs when data or information is changed without authorization. Ways that a bad actor can execute tampering could be through changing a configuration file to gain system control, inserting a malicious file, or deleting/modifying a log file.\u003c/p\u003e\u003cp\u003eChange monitoring, also known as file integrity monitoring (FIM), is essential to integrate into your business to identify if and when data tampering occurs. This process critically examines files with a baseline of what a good file looks like. Proper logging and storage are critical to support file monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRepudiation Threats\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRepudiation threats happen when a bad actor performs an illegal or malicious operation in a system and then denies their involvement with the attack. In these attacks, the system lacks the ability to actually trace the malicious activity to identify a hacker.\u003c/p\u003e\u003cp\u003eRepudiation attacks are relatively easy to execute on e-mail systems, as very few systems check outbound mail for validity. Most of these attacks begin as access attacks.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation Disclosure\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eInformation disclosure is also known as information leakage. It happens when an application or website unintentionally reveals data to unauthorized users. This type of threat can affect the process, data flow and data storage in an application. Some examples of information disclosure include unintentional access to source code files via temporary backups, unnecessary exposure of sensitive information such as credit card numbers, and revealing database information in error messages.\u003c/p\u003e\u003cp\u003eThese issues are common, and can arise from internal content that is shared publicly, insecure application configurations, or flawed error responses in the design of the application.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDenial of Service (DoS) attacks restrict an authorized user from accessing resources that they should be able to access. This affects the process, data flow and data storage in an application.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDespite increases in DoS attacks, it does seem that protective tools such as \u003ca href=\"https://www.comparitech.com/net-admin/best-ddos-protection-service/\"\u003eAWS Shield and CloudFlare\u003c/a\u003e continue to be effective.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eElevation of Privileges\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThrough the elevation of privileges, an authorized or unauthorized user in the system can gain access to other information that they are not authorized to see. An example of this attack could be as simple as a missed authorization check, or even elevation through data tampering where the attacker modifies the disk or memory to execute non-authorized commands.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eEvaluate system interactions and elements\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen using the STRIDE method for Threat Modeling\u0026nbsp; to create your DFD, your team can evaluate threats \u003cstrong\u003eper\u003c/strong\u003e \u003cstrong\u003einteraction \u003c/strong\u003eand\u003cstrong\u003e per element\u003c/strong\u003e. To do this, your team will need to analyze the potential risks associated with each interaction and element within your system. Remember that:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eInteractions\u003c/strong\u003e are how different components, modules, users, or external entities communicate with each other. Its important for teams to understand the flow of information, data, or control between these entities.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eElements\u003c/strong\u003e are different components of a system, like databases, APIs, user interfaces, and other network components.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo apply STRIDE to your DFD, your team will complete the following steps to apply the STRIDE method to your Threat Model :\u0026nbsp;\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eApply STRIDE categories to interactions and elements\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eAt the start of your analysis, your team will apply STRIDE\u003cstrong\u003e per interaction\u003c/strong\u003e to determine if there are any threats related to the data flows between components. After completing the interaction analysis, you will then investigate any additional threats further by applying STRIDE to \u003cstrong\u003eany element\u003c/strong\u003e. Any threats that fall outside of interactions and elements should be classified as \u003cstrong\u003eunstructured threats\u003c/strong\u003e.\u003c/p\u003e\u003col start=\"2\"\u003e\u003cli\u003e\u003cstrong\u003eAnalyze threats\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eConsider how each type of threat can manifest and brainstorm potential attack scenarios or vulnerabilities that align with each category\u003cem\u003e. \u003c/em\u003eMany development teams will already have ideas of what issues exist inside their systems. Their first-hand experience should be welcomed into the Threat Model Session. Key questions to ask during your session include: How would you attack the system? What are you (most) concerned about?\u003c/p\u003e\u003col start=\"3\"\u003e\u003cli\u003e\u003cstrong\u003eDetermine threat impact and likelihood\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eEvaluate the potential impact of each identified threat. Consider the consequences in terms of confidentiality, integrity, availability, regulatory compliance, or other relevant factors. Assess the potential damage or harm that can occur if the threat is successfully exploited. Also consider factors such as the level of access required, the complexity of the attack, the presence of mitigating controls, and the motivation and capabilities of potential attackers. Once the initial threat analysis is complete, your team may find that many of the threats are unlikely, low impact, and/or not in the scope of the teams area of responsibility.\u003c/p\u003e\u003col start=\"4\"\u003e\u003cli\u003e\u003cstrong\u003ePrioritize threats and define mitigation strategies\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eReview the remaining threats and work with the team, specifically the ISSO and Business Owner, to identify the major threats. The team then should work on the proposed mitigation plan by identifying team members that are responsible for mitigating the threats, estimate dates of completion, and include this information in the final report for follow-up at a later date (generally 90 days).\u003c/p\u003e\u003col start=\"5\"\u003e\u003cli\u003e\u003cstrong\u003eValidate and refine:\u003c/strong\u003e Review the threat analysis and proposed mitigations with your team regularly. Refine the threat analysis and update the mitigation strategies when changes occur within your system.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eWhat to do following your Threat Model Session(s)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eIn order to answer the question “Did we do a good enough job?”, it is important to review the identified threats, understand the mitigations, determine the risks, and communicate the results with others.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the Threat Model Report\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUsing the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Report Template\u003c/a\u003e, the data gathered from the Threat Model Session is transferred into a shared report or PDF that can be used for a final review with all stakeholders. It provides information from the Threat Model Session, including system information, DFD, identified (possible) threats, and proposed mitigations. Your teams options for post-session reporting include:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAfter a review with stakeholders, the final report should be uploaded to the “Assessments” tab of CMS FISMA Continuous Tracking System (CFACTS) by the systems ISSO.\u003c/li\u003e\u003cli\u003eInstead of a full report, a PDF of the Mural board + Confluence page may be sufficient for use by the CMS ADO Team. In other cases, a formal document may be needed in order to justify a budgetary request to address a vulnerability that will require additional funds.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eSend feedback survey\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCreate a post-session email to all attendees thanking them for their participation and providing a link to the \u003ca href=\"https://cmsgov.typeform.com/tm-feedback\"\u003eThreat Model Session feedback form\u003c/a\u003e. This information will be used by the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e for continuous improvement of the CMS Threat Modeling process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eThreat mitigation follow up\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMitigation follow-up is managed by the application ISSO, but should be completed approximately 90 days after the Threat Model Session. All mitigations should be commented on and updated, then attached with the Threat Model report.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling terms and definitions\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTerm\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDefinition\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eImpact\u003c/td\u003e\u003ctd\u003eA measure of the potential damage caused by a particular threat. Impact and damage can take a variety of forms. A threat may result in damage to physical assets, or may result in obvious financial loss. Indirect loss may also result from an attack and needs to be considered as part of the impact.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eLikelihood\u003c/td\u003e\u003ctd\u003eA measure of the possibility of a threat being carried out. A variety of factors can impact the likelihood of a threat being carried out, including how difficult the implementation of the threat is, and how rewarding it would be to the attacker.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControls\u003c/td\u003e\u003ctd\u003eSafeguards or countermeasures that you put in place in order to avoid, detect, counteract, or minimize potential threats against your information, systems, or other assets.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePreventions\u003c/td\u003e\u003ctd\u003eControls that may completely prevent a particular attack from being possible.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMitigations\u003c/td\u003e\u003ctd\u003eControls that are put in place to reduce either the likelihood or the impact of a threat, while not completely preventing it.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Flow Diagram\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA depiction of how information flows through your system. It shows each place that data is input into or output from each process or subsystem. It includes anywhere that data is stored in the system, either temporarily or long-term.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTrust boundary (in the context of Threat Modeling )\u003c/td\u003e\u003ctd\u003eA location on the Data Flow Diagram\u0026nbsp; where data changes its level of trust. Any place where data is passed between two processes is typically a trust boundary. If your application makes a call to a remote process, or a remote process makes calls to your application, that's a trust boundary. If you read data from a database, there's typically a trust boundary because other processes can modify the data in the database. Any place you accept user input in any form is always a trust boundary\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWorkflows (Use Cases)\u003c/td\u003e\u003ctd\u003eA written description of how users will perform tasks within your system or application. It outlines, from a user's point of view, a system's behavior as it responds to a request. Each workflow is represented as a sequence of simple steps, beginning with a user's goal and ending when that goal is fulfilled.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Name\u003c/td\u003e\u003ctd\u003eFISMA system name that can be found in CFACTS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Description\u003c/td\u003e\u003ctd\u003eHigh level description of the system that can be found in CFACTS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eExternal Entity\u003c/td\u003e\u003ctd\u003eAn outside system or process that sends or receives data to and from the diagrammed system- sources or destinations of information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eProcess\u003c/td\u003e\u003ctd\u003eA procedure that manipulates the data and its flow by taking incoming data, changing it, and producing an output with it.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Store\u003c/td\u003e\u003ctd\u003eHolds information for later use waiting to be processed. Data inputs flow through a process and then through a data store while data outputs flow out of a data store and then through a process.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Flow\u003c/td\u003e\u003ctd\u003eThe path the systems information takes from external entities through processes and data stores.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSpoofing\u003c/td\u003e\u003ctd\u003eThreat action aimed at accessing and use of another users credentials, such as username and password.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTampering\u003c/td\u003e\u003ctd\u003eThreat action intending to maliciously change or modify persistent data, and the alteration of data in transit between two computers over an open network, such as the Internet.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRepudiation\u003c/td\u003e\u003ctd\u003eThreat action aimed at performing prohibited operations in a system that lacks the ability to trace the operations.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation Disclosure\u003c/td\u003e\u003ctd\u003eThreat action intending to read a file that one was not granted access to, or to read data in transit.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDenial of Service (DoS)\u003c/td\u003e\u003ctd\u003eThreat action attempting to deny access to valid users, such as by making a web server temporarily unavailable or unusable.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEscalation of Privileges\u003c/td\u003e\u003ctd\u003eThreat action intending to gain privileged access to resources in order to gain unauthorized access to information or to compromise a system.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTuple\u003c/td\u003e\u003ctd\u003eLooking at a section of a Data Flow Diagram\u0026nbsp; by identifying the source, destination, and data type of the data flow.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling resources\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following are a list of industry resources the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e has identified as helpful for those within the CMS community who want to learn more about Threat Modeling:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://owasp.org/www-community/Threat_Modeling_Process\"\u003eOWASP Threat Modeling\u0026nbsp;Process\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://threatmodelingmanifesto.org\"\u003eThreat Modeling\u0026nbsp;Manifesto\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.threatmodelingmanifesto.org/capabilities/\"\u003eThreat Modeling Capabilities\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://github.com/hysnsec/awesome-threat-modelling\"\u003eAwesome Threat Modeling - curated list of resources\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/\"\u003eAWS - How to Approach Threat Modeling\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.softwaresecured.com/post/stride-threat-modelling\"\u003eSTRIDE Threat Modeling: What You Need To Know\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html\"\u003eMozilla: Rapid Risk Assessment (RRA)\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b8:T9889,"])</script><script>self.__next_f.push([1,"\u003cp\u003e\u003cem\u003eDisclaimer: The information and resources in this document are driven directly at and for CMS internal teams and ADOs to help them initiate and complete threat model exercises. While you may be viewing this document as a publicly available resource to anyone, any information excluded as well as context included is meant for CMS-specific audiences.\u0026nbsp;\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat is Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eThreat Modeling is a proactive, holistic approach of analyzing potential threats and risks in a system or application to identify and address them proactively. It involves analyzing how an attacker might try to exploit weaknesses in the system and then taking steps to mitigate those risks. It enables informed decision-making about application security risks. In addition to producing a model diagram, the process also produces a prioritized list of security improvements to the conception, requirements gathering, design, or implementation of an application.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eAt CMS, we use threat modeling\u0026nbsp; to help identify potential weaknesses that could be exploited by malicious actors. The \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e works with System Teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows System/Business Owners, ISSOs, and Developers to implement appropriate security measures such as encryption, access controls, or regular software updates to reduce the chances of a successful attack and to protect sensitive information.\u003c/p\u003e\u003cp dir=\"ltr\"\u003eThreat Modeling is typically done with end-phase security testing, can be conducted anytime, but is ideally done early in the design phase of the Software Development Life Cycle (SDLC). Once completed, a threat model can be updated as needed throughout the SDLC, and should be revisited with each new feature or release. This practice promotes identifying and remediating threats, as well as continuously monitoring the effects of internal or external changes.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eWhat are the benefits of Threat Modeling?\u003c/strong\u003e\u003c/h2\u003e\u003cp dir=\"ltr\"\u003eAt CMS, Threat Modeling\u0026nbsp;supports CMS system security and continuous monitoring efforts by supporting the following goals:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli dir=\"ltr\"\u003eDetecting problems early in the software development life cycle (SDLC)\u003c/li\u003e\u003cli dir=\"ltr\"\u003eIdentifying system security requirements\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eCreating a structured plan to address both system requirements and deficiencies\u003c/li\u003e\u003cli dir=\"ltr\"\u003eEvaluating attacks on CMS systems teams might not have considered, even security issues unique to your system\u003c/li\u003e\u003cli dir=\"ltr\"\u003eStaying one step ahead of attackers\u003c/li\u003e\u003cli dir=\"ltr\"\u003eGetting inside the minds of threat agents and their motivations, skills, and capabilities\u0026nbsp;\u003c/li\u003e\u003cli dir=\"ltr\"\u003eServing as a resource for CMS\u0026nbsp;\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and\u0026nbsp;\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Planning\u003c/a\u003e\u0026nbsp; activities\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling\u0026nbsp;frameworks\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eTeams choosing to participate in Threat Modeling at CMS will have the option to work with the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e during a series of sessions. To successfully complete these sessions, the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp; Team\u003c/strong\u003e will use a number of proven frameworks\u0026nbsp; including:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"https://adam.shostack.org/\"\u003eAdam Shostacks \u003c/a\u003eFour-Question Frame for Threat Modeling\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://www.microsoft.com/security/blog/2007/09/11/stride-chart/\"\u003eSTRIDE Threat Model\u0026nbsp;\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese methods were chosen by the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e because they are expedient, reliable models that use industry-standard language and provide immediate value to CMS teams. Read on to learn about the specifics of these frameworks.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFour-Question Frame for Threat Modeling\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs your team embarks on its Threat Modeling journey, its important that these four questions remain top-of-mind:\u003c/p\u003e\u003col\u003e\u003cli\u003eWhat are we working on?\u003c/li\u003e\u003cli\u003eWhat can go wrong?\u003c/li\u003e\u003cli\u003eWhat are we going to do about it?\u003c/li\u003e\u003cli\u003eDid we do a good enough job?\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThese questions form the base of the work that your team and the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will complete together. The questions are actionable, and designed to quickly identify problems and solutions, which is the core purpose of Threat Modeling .\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eThe STRIDE Model\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://www.microsoft.com/security/blog/2007/09/11/stride-chart/\"\u003eSTRIDE\u003c/a\u003e Threat Modeling\u0026nbsp;framework is a systematic approach used to identify and analyze potential security threats and vulnerabilities in software systems. It provides a structured methodology for understanding and addressing security risks during the design and development stages of a system.\u003c/p\u003e\u003cp\u003eThe acronym STRIDE stands for the six types of threats that the framework helps to identify:\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eThreat type\u003c/th\u003e\u003cth\u003eProperty Violated\u003c/th\u003e\u003cth\u003eThreat Definition\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eS\u003c/strong\u003epoofing\u003c/td\u003e\u003ctd\u003eAuthentication\u003c/td\u003e\u003ctd\u003ePretending to be something or someone other than yourself\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eT\u003c/strong\u003eampering\u003c/td\u003e\u003ctd\u003eIntegrity\u003c/td\u003e\u003ctd\u003eModifying something on disk, network, memory, or elsewhere\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eR\u003c/strong\u003eepudiation\u003c/td\u003e\u003ctd\u003eNon-Repudiation\u003c/td\u003e\u003ctd\u003eClaiming that you didnt do something or were not responsible; can be honest or false\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eI\u003c/strong\u003enformation Disclosure\u003c/td\u003e\u003ctd\u003eConfidentiality\u003c/td\u003e\u003ctd\u003eProviding information to someone not authorized to access it\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eD\u003c/strong\u003eenial of service\u003c/td\u003e\u003ctd\u003eAvailability\u003c/td\u003e\u003ctd\u003eExhausting resources needed to provide service\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eE\u003c/strong\u003elevation of Privilege\u003c/td\u003e\u003ctd\u003eAuthorization\u003c/td\u003e\u003ctd\u003eAllowing someone to do something they are not authorized to do\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eMore information about using the STRIDE method to complete your Threat Modeling\u0026nbsp;Session can be found in section “How to create your Threat Model ”.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eOther Threat Modeling frameworks\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eApart from the STRIDE Threat Modeling framework, there are several other popular Threat Modeling frameworks commonly used in the field of software security. Here are a few notable ones:\u003c/p\u003e\u003ch4\u003e\u003ca href=\"https://versprite.com/blog/what-is-pasta-threat-modeling/\"\u003e\u003cstrong\u003ePASTA\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Process for Attack Simulation and Threat Analysis)\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003ePASTA is a risk-centric Threat Modeling\u0026nbsp;framework that focuses on the business impact of threats. It involves a seven-step iterative process, including defining the objectives, creating an application profile, identifying threats, assessing vulnerabilities, analyzing risks, defining countermeasures, and validating the results with active vulnerability or penetration testing.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://linddun.org/\"\u003e\u003cstrong\u003eLINDDUN\u003c/strong\u003e\u003c/a\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eLINDDUN threat modeling is a comprehensive approach that extends beyond traditional security threat modeling by focusing explicitly on various aspects of privacy. It is particularly relevant in the development of systems where user data privacy is of utmost importance, such as in applications handling personal or sensitive information. Here's a breakdown of what LINDDUN stands for and how it is applied:\u003c/p\u003e\u003col\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eL\u003c/strong\u003einkability: This aspect evaluates whether an attacker can link two or more items of interest (such as messages, actions, individuals) in a way that the systems design did not intend. The goal is to prevent unauthorized linking of information to protect user privacy.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eI\u003c/strong\u003edentifiability: This examines the risk of identifying a subject (like a user) from the available data. The system should be designed to prevent unauthorized identification of users.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eN\u003c/strong\u003eon-repudiation: This component assesses the possibility that a user cannot deny an action they performed. While non-repudiation is often a security goal, in the context of privacy, it can be undesirable as it might lead to the exposure of a users actions.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eD\u003c/strong\u003eetectability: This refers to the ability of an attacker to determine that an item of interest exists. For privacy protection, certain information should not be detectable by unauthorized parties.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eD\u003c/strong\u003eisclosure of Information: This looks at the risk of exposing information to unauthorized entities. The goal is to ensure that confidential information remains private.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eU\u003c/strong\u003enawareness \u0026amp; Unintervenability: This considers whether users are unaware of the data processing practices, which might impact their privacy. Ensuring that users are informed and consenting to data processing is key to protecting privacy.\u003c/li\u003e\u003cli dir=\"ltr\"\u003e\u003cstrong\u003eN\u003c/strong\u003eon-compliance: This evaluates the risk of the system not complying with privacy policies and regulations. Ensuring compliance is crucial for legal and ethical reasons..\u003c/li\u003e\u003c/ol\u003e\u003ch4\u003e\u003ca href=\"https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html\"\u003e\u003cstrong\u003eMozillas Rapid Risk Assessment (RRA)\u003c/strong\u003e\u003c/a\u003e\u003c/h4\u003e\u003cp\u003eRRA is designed to quickly identify and prioritize security risks in software projects, allowing teams to allocate their resources effectively. It aims to be a lightweight and agile approach to risk assessment.\u003c/p\u003e\u003cp\u003eThese are just a few examples of additional Threat Modeling frameworks. Each framework has its strengths and focuses on different aspects of Threat Modeling, but they all aim to identify and address potential security risks effectively. It may be beneficial for your team to review these frameworks as you start your own threat model.\u0026nbsp;\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003cstrong\u003eSupplemental frameworks and tools\u003c/strong\u003e\u003c/h3\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://nvd.nist.gov/vuln-metrics/cvss#:~:text=The%20Common%20Vulnerability%20Scoring%20System,Base%2C%20Temporal%2C%20and%20Environmental.\"\u003e\u003cstrong\u003eCVSS\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Common Vulnerability Scoring System)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eCVSS is a vulnerability severity classification system which identifies metrics around the ease-of-exploitation and privilege levels required to exploit a CVE. It is not a method of threat modeling or tracking risk. It is used to advise on remediation cadence and urgency. Once a threat is identified, its associated vulnerability can receive a CVSS score from Critical, High, Medium, Low, or Informational to guide prioritization.\u003c/p\u003e\u003ch4 dir=\"ltr\"\u003e\u003ca href=\"https://attack.mitre.org/matrices/enterprise/\"\u003e\u003cstrong\u003eMITRE ATT\u0026amp;CK\u003c/strong\u003e\u003c/a\u003e\u003cstrong\u003e (Adversarys Tactics, Techniques and Common Knowledge)\u003c/strong\u003e\u003c/h4\u003e\u003cp dir=\"ltr\"\u003eATT\u0026amp;CK is not a threat modeling methodology per se but can be used in conjunction with other threat modeling frameworks. ATT\u0026amp;CK is a collection of tactics, techniques, and procedures (TTPs) which enumerate the exploitation and post-exploitation actions threat actors can take against vulnerabilities. Some attacks get CVE classifications but rather this is a repository of steps an adversary can chain together which in their whole create a Kill Chain or successful attack. It is a good tool for referencing attack actions in the same manner across technical and non-technical departments. It can be used with threat modeling once threats have been identified to associate the attack actions with the identified threat. ATT\u0026amp;CK is not a compliance framework.\u0026nbsp;\u003c/p\u003e\u003cp dir=\"ltr\"\u003eMany tools and frameworks exist that support threat modeling activities or which can be mapped to a threat modeling methodology such as STRIDE but these should not be relied upon in isolation from other methods.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling tools\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe tools needed for Threat Modeling can be as simple as using a Whiteboard to brainstorm ideas and a method to record threats and mitigations (paper, a photo of a diagram, etc.). At CMS, the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e uses the following tools to communicate with teams and record ideas and information:\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMural (for drawing DFD diagrams)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTeams primarily use \u003ca href=\"https://www.mural.co/\"\u003eMural\u003c/a\u003e as a digital whiteboard for drawing Data Flow Diagrams (DFDs). You can sign up for a Mural space to complete this work by contacting the \u003ca href=\"mailto:cmscollabtools@cms.hhs.gov\"\u003eCMS Cloud Team\u003c/a\u003e (CMS email account required).\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNOTE: \u003c/strong\u003eSome other drawing tools may be alternatively used such as \u003ca href=\"https://app.diagrams.net\"\u003eapp.diagrams.net\u003c/a\u003e (formerly Draw.io), \u003ca href=\"https://www.lucidchart.com/\"\u003eLucidchart\u003c/a\u003e, etc.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS Confluence (for recording threats)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTeams use \u003ca href=\"https://confluenceent.cms.gov/display/CTM/\"\u003eConfluence\u003c/a\u003e to fill out their \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Template\u003c/a\u003e in a space that is protected and safe from outside users.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eZoom (for team collaboration)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will use \u003ca href=\"https://cms.zoomgov.com/\"\u003eZoom\u003c/a\u003e to collaborate with other team members on a Threat Model. Threat Modeling sessions are recorded so that all artifacts can be transferred to other systems of record.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eYouTube (for additional training)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour team is encouraged to review the \u003ca href=\"https://www.youtube.com/playlist?list=PLyEaxwXtHzLl_X1RFAjLk1klaa7g_Ab3A\"\u003eCMS CASP Threat Modeling playlist\u003c/a\u003e on CMS YouTube channel before you start your Threat Model.\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cem\u003eAdditional or alternative tools may be added in the future to further help CMS ADO Teams with creating and maintaining Threat Models.\u003c/em\u003e\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eSupplemental Threat Modeling tools\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eAs a reference, here are some other threat modeling tools in the industry that may be considered in the future for use at CMS:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFree Tools:\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://www.threatdragon.com/\"\u003e\u003cstrong\u003eOWASP Threat Dragon\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eThe OWASP Threat Dragon is a free, open-source, cross-platform application for creating threat models. Use it to draw threat modeling diagrams and to identify threats for your system. With an emphasis on flexibility and simplicity it is easily accessible for all types of users.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool\"\u003e\u003cstrong\u003eMicrosoft Threat Modeling Tool\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eThe Threat Modeling Tool is a core element of the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early, when they are relatively easy and cost-effective to resolve. As a result, it greatly reduces the total cost of development. Also, the tool is designed with non-security experts in mind, making threat modeling easier for all developers by providing clear guidance on creating and analyzing threat models.\u003cbr\u003e\u003cstrong\u003eNOTE: \u003c/strong\u003eThe Microsoft Threat Modeling Tool is a desktop-only tool that can be installed on Microsoft operating systems only.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePaid Tools (requires paid / annual license(s) for usage):\u003c/strong\u003e\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://www.iriusrisk.com/\"\u003e\u003cstrong\u003eIriusRisk\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eIriusRisk is an open Threat Modeling platform that automates and supports creating threat models at design time. The threat model includes recommendations on how to address the risk. IriusRisk then enables the user to manage security risks throughout the rest of the software development lifecycle (SDLC) with best-in-class architectural diagramming and full customization to enable every stakeholder to collaborate.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://threatmodeler.com/\"\u003e\u003cstrong\u003eThreatModeler\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eOur patented technology enables intuitive, automated, collaborative threat modeling and integrates directly into every component of your DevSecOps tool chain, automating the “Sec” in DevSecOps from design to code to cloud at scale. ThreatModelers SaaS platform ensures secure and compliant applications, infrastructure, and cloud assets in design, saving millions in incident response costs, remediation costs and regulatory fines. It is trusted by software, security and cloud architects, engineers, and developers at companies across the world. Founded in 2010, ThreatModeler is headquartered in Jersey City, NJ.\u003c/p\u003e\u003ch3 dir=\"ltr\"\u003e\u003ca href=\"https://devici.com/\"\u003e\u003cstrong\u003eDevici\u003c/strong\u003e\u003c/a\u003e\u003c/h3\u003e\u003cp\u003eWelcome to Devici, where secure design is driven by threat modeling from the inception of every project. Imagine a platform that allows you to integrate security into your software's blueprint. That's the essence of Secure by Design, and we make it attainable for teams of any size. We're not just a threat modeling tool; we're a movement that embraces the craftsmanship required for secure software development. Our name draws inspiration from the genius of Leonardo Da Vinci, who saw the intricate connections between art and science, much like our approach to crafting secure and private software. Just as Da Vinci meticulously studied anatomy, engineering, and more to improve his art, we empower developers and engineers to delve deep into the design of their software, uncovering potential security and privacy threats. We help implement secure by design foundations.\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eHow to create your Threat Model\u0026nbsp;\u003c/strong\u003e\u003c/h2\u003e\u003ch3\u003e\u003cstrong\u003eRead the Threat Modeling Handbook\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eLearn about the process of Threat Modeling to decide when the right time is to engage with the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e based on your systems current compliance and authorization schedule.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eFill out the Threat Modeling intake form\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePlease complete the \u003ca href=\"https://forms.office.com/g/3jfhwGyHdQ\"\u003eThreat Modeling\u0026nbsp;Intake Form\u003c/a\u003e. The \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will use the answers you provide in this questionnaire to help inform future planning sessions.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eMeet with the CMS Threat Modeling Team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eTo start things off, facilitators from the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e will meet with the System/Business Owner, ISSO, and up to two Senior Developers to talk about the process, time commitment, and outputs expected in future Threat Model Sessions.\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGather system information\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eYour team should gather and document high level system information, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem name\u003c/li\u003e\u003cli\u003eSystem description\u003c/li\u003e\u003cli\u003eTypes or sensitivity of data\u003c/li\u003e\u003cli\u003eScope and external interactions\u003c/li\u003e\u003cli\u003ePrimary workflows (use cases)\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis information will help the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e in the initial stages of creating your Threat Model .\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGather existing diagrams\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe team should gather any existing diagrams such as architecture diagrams, sequence diagrams, etc. that would be helpful in understanding the system or application. This will help inform the creation (or update) of a Data Flow Diagram\u0026nbsp; (DFD) during the first whiteboard session.\u003c/p\u003e\u003cp\u003e\u003cem\u003e\u0026nbsp;\u003cstrong\u003eNOTE: \u003c/strong\u003eThe DFD doesnt have to be created before the first Threat Modeling\u0026nbsp;session it can be created together with the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e.\u003c/em\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIdentify stakeholders and personas\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eBefore conducting the Threat Model Session, it is important to identify the key stakeholders who will be participating in the creation of the Threat Model . These perspectives/personas are critical to a successful Threat Modeling\u0026nbsp; session. You can use the following table to inform your work to develop these personas:\u0026nbsp;\u003c/p\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003ePersona\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDeveloper\u003c/td\u003e\u003ctd\u003e\u003cp\u003eSomeone who understands the current application design, and has had the most depth of involvement in the design decisions made to date.\u003c/p\u003e\u003cp\u003eThey were involved in design brainstorming or whiteboarding sessions leading up to this point, when they would typically have been thinking about threats to the design and possible mitigations to include.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eBusiness\u003c/td\u003e\u003ctd\u003eSomeone who represents the business outcomes of the workload or feature that is part of the Threat Modeling\u0026nbsp; process. This person should have an intimate understanding of the functional and non-functional requirements of the workload—and their job is to make sure that these requirements arent unduly impacted by any proposed mitigations to address threats.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSecurity\u003c/td\u003e\u003ctd\u003eSomeone who understands application security principles and how they may be applied to designing, building, and testing applications for resilience and protection against security attacks. The purpose of this role is to support the development team in evaluating threats and devising security controls that mitigate the threats.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInfrastructure\u003c/td\u003e\u003ctd\u003eSomeone who understands the physical or virtual components that makeup the underlying infrastructure of the Application. Design decisions are offset by Infrastructure considerations. These should be voiced during the Threat Modeling\u0026nbsp; session, though theres often aspects of \u003cstrong\u003eShared Responsibility Models \u003c/strong\u003ethat may be reflected in the technology used.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eThreat Model Coordinator\u003c/td\u003e\u003ctd\u003eThe Threat Model subject matter expert (SME) should be the most familiar with the Threat Modeling\u0026nbsp; process and discussion moderation methods, and should have a depth of IT security knowledge and experience. Discussion moderation is crucial for the overall exercise process to make sure that the overall objectives of the process are kept on-track, and that the appropriate balance between security and delivery of the customer outcome is maintained.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch3\u003e\u003cstrong\u003eDocument current and upcoming work\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThis is used to help answer “What are we working on” in terms of change to the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the Threat Model Template in Confluence\u0026nbsp;\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e uses Confluence to organize their threat models. Copy the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Template\u003c/a\u003e to your own Confluence space, and record the data collected in the previous steps.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSchedule your Threat Modeling\u0026nbsp; Sessions\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWork with your team to coordinate dates and times, and then reach out to the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e to schedule your Threat Model Sessions. Its up to the team if they prefer to have one session or to break it up into multiple sessions. Breaking up the session (e.g., three sessions, two hours each, one day apart) gives the team the time and space to learn the structure and concepts involved before going into the next session.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePrepare your team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eSend a welcome email to everyone who will attend your Threat Modeling\u0026nbsp; Session. Be sure to include the following in your email:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eA link to this \u003ca href=\"https://security.cms.gov/policy-guidance/threat-modeling-handbook\"\u003eThreat Modeling Handbook\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA link to the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/\"\u003eThreat Modeling\u0026nbsp;Confluence Space\u003c/a\u003e\u003c/li\u003e\u003cli\u003eA shared link to your specific Mural Whiteboard (or other drawing tool) for easy viewing\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThese shared resources will allow everyone on the team to have access to the information they need to successfully complete the Threat Model .\u0026nbsp;\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eIdentify threats using the STRIDE Model\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs a structured method of Threat Modeling, STRIDE is meant to help teams locate threats in a system. It offers a way to organize information so that teams can plan how to mitigate or eliminate the threats. Remember that the acronym STRIDE stands for the six types of threats that the framework helps to identify:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpoofing Identity\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eIdentity spoofing occurs when the hacker pretends to be another person, assuming the identity and information in that identity to commit fraud. A very common example of this threat is when an email is sent from a false email address, appearing to be someone else. Typically, these emails request sensitive data. A vulnerable or unaware recipient provides the requested data, and the hacker is then easily able to assume the new identity.\u003c/p\u003e\u003cp\u003eIdentities that are faked can include both human and technical identities. Through spoofing, the hacker can gain access through just one vulnerable identity to then execute a much larger cyber attack.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTampering With Data\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eData tampering occurs when data or information is changed without authorization. Ways that a bad actor can execute tampering could be through changing a configuration file to gain system control, inserting a malicious file, or deleting/modifying a log file.\u003c/p\u003e\u003cp\u003eChange monitoring, also known as file integrity monitoring (FIM), is essential to integrate into your business to identify if and when data tampering occurs. This process critically examines files with a baseline of what a good file looks like. Proper logging and storage are critical to support file monitoring.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRepudiation Threats\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eRepudiation threats happen when a bad actor performs an illegal or malicious operation in a system and then denies their involvement with the attack. In these attacks, the system lacks the ability to actually trace the malicious activity to identify a hacker.\u003c/p\u003e\u003cp\u003eRepudiation attacks are relatively easy to execute on e-mail systems, as very few systems check outbound mail for validity. Most of these attacks begin as access attacks.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation Disclosure\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eInformation disclosure is also known as information leakage. It happens when an application or website unintentionally reveals data to unauthorized users. This type of threat can affect the process, data flow and data storage in an application. Some examples of information disclosure include unintentional access to source code files via temporary backups, unnecessary exposure of sensitive information such as credit card numbers, and revealing database information in error messages.\u003c/p\u003e\u003cp\u003eThese issues are common, and can arise from internal content that is shared publicly, insecure application configurations, or flawed error responses in the design of the application.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eDenial of Service (DoS) attacks restrict an authorized user from accessing resources that they should be able to access. This affects the process, data flow and data storage in an application.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDespite increases in DoS attacks, it does seem that protective tools such as \u003ca href=\"https://www.comparitech.com/net-admin/best-ddos-protection-service/\"\u003eAWS Shield and CloudFlare\u003c/a\u003e continue to be effective.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eElevation of Privileges\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThrough the elevation of privileges, an authorized or unauthorized user in the system can gain access to other information that they are not authorized to see. An example of this attack could be as simple as a missed authorization check, or even elevation through data tampering where the attacker modifies the disk or memory to execute non-authorized commands.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eEvaluate system interactions and elements\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWhen using the STRIDE method for Threat Modeling\u0026nbsp; to create your DFD, your team can evaluate threats \u003cstrong\u003eper\u003c/strong\u003e \u003cstrong\u003einteraction \u003c/strong\u003eand\u003cstrong\u003e per element\u003c/strong\u003e. To do this, your team will need to analyze the potential risks associated with each interaction and element within your system. Remember that:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eInteractions\u003c/strong\u003e are how different components, modules, users, or external entities communicate with each other. Its important for teams to understand the flow of information, data, or control between these entities.\u0026nbsp;\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eElements\u003c/strong\u003e are different components of a system, like databases, APIs, user interfaces, and other network components.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTo apply STRIDE to your DFD, your team will complete the following steps to apply the STRIDE method to your Threat Model :\u0026nbsp;\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cstrong\u003eApply STRIDE categories to interactions and elements\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eAt the start of your analysis, your team will apply STRIDE\u003cstrong\u003e per interaction\u003c/strong\u003e to determine if there are any threats related to the data flows between components. After completing the interaction analysis, you will then investigate any additional threats further by applying STRIDE to \u003cstrong\u003eany element\u003c/strong\u003e. Any threats that fall outside of interactions and elements should be classified as \u003cstrong\u003eunstructured threats\u003c/strong\u003e.\u003c/p\u003e\u003col start=\"2\"\u003e\u003cli\u003e\u003cstrong\u003eAnalyze threats\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eConsider how each type of threat can manifest and brainstorm potential attack scenarios or vulnerabilities that align with each category\u003cem\u003e. \u003c/em\u003eMany development teams will already have ideas of what issues exist inside their systems. Their first-hand experience should be welcomed into the Threat Model Session. Key questions to ask during your session include: How would you attack the system? What are you (most) concerned about?\u003c/p\u003e\u003col start=\"3\"\u003e\u003cli\u003e\u003cstrong\u003eDetermine threat impact and likelihood\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eEvaluate the potential impact of each identified threat. Consider the consequences in terms of confidentiality, integrity, availability, regulatory compliance, or other relevant factors. Assess the potential damage or harm that can occur if the threat is successfully exploited. Also consider factors such as the level of access required, the complexity of the attack, the presence of mitigating controls, and the motivation and capabilities of potential attackers. Once the initial threat analysis is complete, your team may find that many of the threats are unlikely, low impact, and/or not in the scope of the teams area of responsibility.\u003c/p\u003e\u003col start=\"4\"\u003e\u003cli\u003e\u003cstrong\u003ePrioritize threats and define mitigation strategies\u003c/strong\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eReview the remaining threats and work with the team, specifically the ISSO and Business Owner, to identify the major threats. The team then should work on the proposed mitigation plan by identifying team members that are responsible for mitigating the threats, estimate dates of completion, and include this information in the final report for follow-up at a later date (generally 90 days).\u003c/p\u003e\u003col start=\"5\"\u003e\u003cli\u003e\u003cstrong\u003eValidate and refine:\u003c/strong\u003e Review the threat analysis and proposed mitigations with your team regularly. Refine the threat analysis and update the mitigation strategies when changes occur within your system.\u003c/li\u003e\u003c/ol\u003e\u003ch2\u003e\u003cstrong\u003eWhat to do following your Threat Model Session(s)\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eIn order to answer the question “Did we do a good enough job?”, it is important to review the identified threats, understand the mitigations, determine the risks, and communicate the results with others.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eComplete the Threat Model Report\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eUsing the \u003ca href=\"https://confluenceent.cms.gov/display/CTM/Template+Threat+Model\"\u003eThreat Model Report Template\u003c/a\u003e, the data gathered from the Threat Model Session is transferred into a shared report or PDF that can be used for a final review with all stakeholders. It provides information from the Threat Model Session, including system information, DFD, identified (possible) threats, and proposed mitigations. Your teams options for post-session reporting include:\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eAfter a review with stakeholders, the final report should be uploaded to the “Assessments” tab of CMS FISMA Continuous Tracking System (CFACTS) by the systems ISSO.\u003c/li\u003e\u003cli\u003eInstead of a full report, a PDF of the Mural board + Confluence page may be sufficient for use by the CMS ADO Team. In other cases, a formal document may be needed in order to justify a budgetary request to address a vulnerability that will require additional funds.\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eSend feedback survey\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eCreate a post-session email to all attendees thanking them for their participation and providing a link to the \u003ca href=\"https://cmsgov.typeform.com/tm-feedback\"\u003eThreat Model Session feedback form\u003c/a\u003e. This information will be used by the \u003cstrong\u003eCMS Threat Modeling\u0026nbsp;Team\u003c/strong\u003e for continuous improvement of the CMS Threat Modeling process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eThreat mitigation follow up\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eMitigation follow-up is managed by the application ISSO, but should be completed approximately 90 days after the Threat Model Session. All mitigations should be commented on and updated, then attached with the Threat Model report.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling terms and definitions\u003c/strong\u003e\u003c/h2\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003e\u003cstrong\u003eTerm\u003c/strong\u003e\u003c/th\u003e\u003cth\u003e\u003cstrong\u003eDefinition\u003c/strong\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eImpact\u003c/td\u003e\u003ctd\u003eA measure of the potential damage caused by a particular threat. Impact and damage can take a variety of forms. A threat may result in damage to physical assets, or may result in obvious financial loss. Indirect loss may also result from an attack and needs to be considered as part of the impact.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eLikelihood\u003c/td\u003e\u003ctd\u003eA measure of the possibility of a threat being carried out. A variety of factors can impact the likelihood of a threat being carried out, including how difficult the implementation of the threat is, and how rewarding it would be to the attacker.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eControls\u003c/td\u003e\u003ctd\u003eSafeguards or countermeasures that you put in place in order to avoid, detect, counteract, or minimize potential threats against your information, systems, or other assets.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePreventions\u003c/td\u003e\u003ctd\u003eControls that may completely prevent a particular attack from being possible.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eMitigations\u003c/td\u003e\u003ctd\u003eControls that are put in place to reduce either the likelihood or the impact of a threat, while not completely preventing it.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Flow Diagram\u0026nbsp;\u003c/td\u003e\u003ctd\u003eA depiction of how information flows through your system. It shows each place that data is input into or output from each process or subsystem. It includes anywhere that data is stored in the system, either temporarily or long-term.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTrust boundary (in the context of Threat Modeling )\u003c/td\u003e\u003ctd\u003eA location on the Data Flow Diagram\u0026nbsp; where data changes its level of trust. Any place where data is passed between two processes is typically a trust boundary. If your application makes a call to a remote process, or a remote process makes calls to your application, that's a trust boundary. If you read data from a database, there's typically a trust boundary because other processes can modify the data in the database. Any place you accept user input in any form is always a trust boundary\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eWorkflows (Use Cases)\u003c/td\u003e\u003ctd\u003eA written description of how users will perform tasks within your system or application. It outlines, from a user's point of view, a system's behavior as it responds to a request. Each workflow is represented as a sequence of simple steps, beginning with a user's goal and ending when that goal is fulfilled.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Name\u003c/td\u003e\u003ctd\u003eFISMA system name that can be found in CFACTS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSystem Description\u003c/td\u003e\u003ctd\u003eHigh level description of the system that can be found in CFACTS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eExternal Entity\u003c/td\u003e\u003ctd\u003eAn outside system or process that sends or receives data to and from the diagrammed system- sources or destinations of information\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eProcess\u003c/td\u003e\u003ctd\u003eA procedure that manipulates the data and its flow by taking incoming data, changing it, and producing an output with it.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Store\u003c/td\u003e\u003ctd\u003eHolds information for later use waiting to be processed. Data inputs flow through a process and then through a data store while data outputs flow out of a data store and then through a process.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eData Flow\u003c/td\u003e\u003ctd\u003eThe path the systems information takes from external entities through processes and data stores.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eSpoofing\u003c/td\u003e\u003ctd\u003eThreat action aimed at accessing and use of another users credentials, such as username and password.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTampering\u003c/td\u003e\u003ctd\u003eThreat action intending to maliciously change or modify persistent data, and the alteration of data in transit between two computers over an open network, such as the Internet.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eRepudiation\u003c/td\u003e\u003ctd\u003eThreat action aimed at performing prohibited operations in a system that lacks the ability to trace the operations.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eInformation Disclosure\u003c/td\u003e\u003ctd\u003eThreat action intending to read a file that one was not granted access to, or to read data in transit.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDenial of Service (DoS)\u003c/td\u003e\u003ctd\u003eThreat action attempting to deny access to valid users, such as by making a web server temporarily unavailable or unusable.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eEscalation of Privileges\u003c/td\u003e\u003ctd\u003eThreat action intending to gain privileged access to resources in order to gain unauthorized access to information or to compromise a system.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eTuple\u003c/td\u003e\u003ctd\u003eLooking at a section of a Data Flow Diagram\u0026nbsp; by identifying the source, destination, and data type of the data flow.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003ch2\u003e\u003cstrong\u003eThreat Modeling resources\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe following are a list of industry resources the \u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e has identified as helpful for those within the CMS community who want to learn more about Threat Modeling:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://owasp.org/www-community/Threat_Modeling_Process\"\u003eOWASP Threat Modeling\u0026nbsp;Process\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://threatmodelingmanifesto.org\"\u003eThreat Modeling\u0026nbsp;Manifesto\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.threatmodelingmanifesto.org/capabilities/\"\u003eThreat Modeling Capabilities\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://github.com/hysnsec/awesome-threat-modelling\"\u003eAwesome Threat Modeling - curated list of resources\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/\"\u003eAWS - How to Approach Threat Modeling\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.softwaresecured.com/post/stride-threat-modelling\"\u003eSTRIDE Threat Modeling: What You Need To Know\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html\"\u003eMozilla: Rapid Risk Assessment (RRA)\u003c/a\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b6:{\"value\":\"$1b7\",\"format\":\"body_text\",\"processed\":\"$1b8\",\"summary\":\"\"}\n1b9:[]\n1ba:{\"value\":\"Information and resources for teams to help them initiate and complete their system threat model\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation and resources for teams to help them initiate and complete their system threat model\u003c/p\u003e\\n\"}\n1b4:{\"drupal_internal__nid\":1119,\"drupal_internal__vid\":6216,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-22T17:50:38+00:00\",\"status\":true,\"title\":\"CMS Threat Modeling Handbook\",\"created\":\"2023-06-16T16:27:11+00:00\",\"changed\":\"2025-01-22T17:50:38+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1b5\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":\"$1b6\",\"field_contact_email\":\"ThreatModeling@cms.hhs.gov\",\"field_contact_name\":\"CMS Threat Modeling Team\",\"field_last_reviewed\":\"2024-02-21\",\"field_related_resources\":\"$1b9\",\"field_short_description\":\"$1ba\"}\n1be:{\"drupal_internal__target_id\":\"library\"}\n1bd:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":\"$1be\"}\n1c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/node_type?resourceVersion=id%3A6216\"}\n1c1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/node_type?resourceVersion=id%3A6216\"}\n1bf:{\"related\":\"$1c0\",\"self\":\"$1c1\"}\n1bc:{\"data\":\"$1bd\",\"links\":\"$1bf\"}\n1c4:{\"drupal_internal__target_id\":6}\n1c3:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1c4\"}\n1c6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/revision_uid?resourceVersion=id%3A6216\"}\n1c7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/revision_uid?resourceVersion=id%3A6216\"}\n1c5:{\"related\":\"$1c6\",\"self\":\"$1c7\"}\n1c2:{\"data\":\"$1c3\",\"links"])</script><script>self.__next_f.push([1,"\":\"$1c5\"}\n1ca:{\"drupal_internal__target_id\":26}\n1c9:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1ca\"}\n1cc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/uid?resourceVersion=id%3A6216\"}\n1cd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/uid?resourceVersion=id%3A6216\"}\n1cb:{\"related\":\"$1cc\",\"self\":\"$1cd\"}\n1c8:{\"data\":\"$1c9\",\"links\":\"$1cb\"}\n1d0:{\"drupal_internal__target_id\":91}\n1cf:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":\"$1d0\"}\n1d2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/field_resource_type?resourceVersion=id%3A6216\"}\n1d3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/field_resource_type?resourceVersion=id%3A6216\"}\n1d1:{\"related\":\"$1d2\",\"self\":\"$1d3\"}\n1ce:{\"data\":\"$1cf\",\"links\":\"$1d1\"}\n1d7:{\"drupal_internal__target_id\":66}\n1d6:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1d7\"}\n1d9:{\"drupal_internal__target_id\":61}\n1d8:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1d9\"}\n1db:{\"drupal_internal__target_id\":76}\n1da:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1db\"}\n1dd:{\"drupal_internal__target_id\":71}\n1dc:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$1dd\"}\n1d5:[\"$1d6\",\"$1d8\",\"$1da\",\"$1dc\"]\n1df:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/field_roles?resourceVersion=id%3A6216\"}\n1e0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/field_roles?resourceVersion=id%3A6216\"}\n1de:{\"related\":\"$1df\",\"self\":\"$1e0\"}\n1d4:{\"data\":\"$1d5\",\"links\":\"$1de\"}\n1e4:{\"drupal_internal__target_id\":41}\n1e3:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$1e4\"}\n1"])</script><script>self.__next_f.push([1,"e6:{\"drupal_internal__target_id\":46}\n1e5:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$1e6\"}\n1e2:[\"$1e3\",\"$1e5\"]\n1e8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/field_topics?resourceVersion=id%3A6216\"}\n1e9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/field_topics?resourceVersion=id%3A6216\"}\n1e7:{\"related\":\"$1e8\",\"self\":\"$1e9\"}\n1e1:{\"data\":\"$1e2\",\"links\":\"$1e7\"}\n1bb:{\"node_type\":\"$1bc\",\"revision_uid\":\"$1c2\",\"uid\":\"$1c8\",\"field_resource_type\":\"$1ce\",\"field_roles\":\"$1d4\",\"field_topics\":\"$1e1\"}\n1b1:{\"type\":\"node--library\",\"id\":\"d2252bee-8a5a-4d56-baba-a0ac106cd2cf\",\"links\":\"$1b2\",\"attributes\":\"$1b4\",\"relationships\":\"$1bb\"}\n1ec:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58?resourceVersion=id%3A5668\"}\n1eb:{\"self\":\"$1ec\"}\n1ee:{\"alias\":\"/learn/cms-cloud-services\",\"pid\":236,\"langcode\":\"en\"}\n1ef:{\"value\":\"Platform-As-A-Service with tools, security, and support services designed specifically for CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003ePlatform-As-A-Service with tools, security, and support services designed specifically for CMS\u003c/p\u003e\\n\"}\n1f0:[\"#cms-cloud-security-forum\"]\n1ed:{\"drupal_internal__nid\":246,\"drupal_internal__vid\":5668,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-12T15:23:53+00:00\",\"status\":true,\"title\":\"CMS Cloud Services\",\"created\":\"2022-08-26T14:47:12+00:00\",\"changed\":\"2024-07-12T15:23:53+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1ee\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cloudsupport@cms.hhs.gov\",\"field_contact_name\":\"CMS Cloud Support\",\"field_short_description\":\"$1ef\",\"field_slack_channel\":\"$1f0\"}\n1f4:{\"drupal_internal__target_id\":\"explainer\"}\n1f3:{\"type\":\"node_type--node_type\",\"id\":\""])</script><script>self.__next_f.push([1,"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1f4\"}\n1f6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/node_type?resourceVersion=id%3A5668\"}\n1f7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/node_type?resourceVersion=id%3A5668\"}\n1f5:{\"related\":\"$1f6\",\"self\":\"$1f7\"}\n1f2:{\"data\":\"$1f3\",\"links\":\"$1f5\"}\n1fa:{\"drupal_internal__target_id\":6}\n1f9:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$1fa\"}\n1fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/revision_uid?resourceVersion=id%3A5668\"}\n1fd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/revision_uid?resourceVersion=id%3A5668\"}\n1fb:{\"related\":\"$1fc\",\"self\":\"$1fd\"}\n1f8:{\"data\":\"$1f9\",\"links\":\"$1fb\"}\n200:{\"drupal_internal__target_id\":26}\n1ff:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$200\"}\n202:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/uid?resourceVersion=id%3A5668\"}\n203:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/uid?resourceVersion=id%3A5668\"}\n201:{\"related\":\"$202\",\"self\":\"$203\"}\n1fe:{\"data\":\"$1ff\",\"links\":\"$201\"}\n207:{\"target_revision_id\":18519,\"drupal_internal__target_id\":1371}\n206:{\"type\":\"paragraph--page_section\",\"id\":\"15f8e7ab-00f6-4c17-b433-659267271131\",\"meta\":\"$207\"}\n205:[\"$206\"]\n209:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_page_section?resourceVersion=id%3A5668\"}\n20a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_page_section?resourceVersion=id%3A5668\"}\n208:{\"related\":\"$209\",\"self\":\"$20a\"}\n204:{\"data\":\"$205\",\"links\":\"$208\"}\n20e:{\"target_revision_id\":18520,\"drupal_internal__target_id\":1376}\n20d:{\"type\":\"paragraph--internal_link\",\"id\":\"b48e2348-59"])</script><script>self.__next_f.push([1,"b0-42a6-9f44-62af8a94ddf1\",\"meta\":\"$20e\"}\n210:{\"target_revision_id\":18521,\"drupal_internal__target_id\":1381}\n20f:{\"type\":\"paragraph--internal_link\",\"id\":\"17ea04ed-0987-43ea-b494-7c051ddfcd28\",\"meta\":\"$210\"}\n212:{\"target_revision_id\":18522,\"drupal_internal__target_id\":1391}\n211:{\"type\":\"paragraph--internal_link\",\"id\":\"ae49a5b4-3922-4f8d-bbe5-624b243b4637\",\"meta\":\"$212\"}\n214:{\"target_revision_id\":18523,\"drupal_internal__target_id\":1396}\n213:{\"type\":\"paragraph--internal_link\",\"id\":\"3ebbf63a-35a8-4c15-8002-2b41f7ef528a\",\"meta\":\"$214\"}\n20c:[\"$20d\",\"$20f\",\"$211\",\"$213\"]\n216:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_related_collection?resourceVersion=id%3A5668\"}\n217:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_related_collection?resourceVersion=id%3A5668\"}\n215:{\"related\":\"$216\",\"self\":\"$217\"}\n20b:{\"data\":\"$20c\",\"links\":\"$215\"}\n21a:{\"drupal_internal__target_id\":121}\n219:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$21a\"}\n21c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_resource_type?resourceVersion=id%3A5668\"}\n21d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_resource_type?resourceVersion=id%3A5668\"}\n21b:{\"related\":\"$21c\",\"self\":\"$21d\"}\n218:{\"data\":\"$219\",\"links\":\"$21b\"}\n221:{\"drupal_internal__target_id\":76}\n220:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$221\"}\n223:{\"drupal_internal__target_id\":71}\n222:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$223\"}\n21f:[\"$220\",\"$222\"]\n225:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_roles?resourceVersion=id%3A5668\"}\n226:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_roles?resourceVersion=id"])</script><script>self.__next_f.push([1,"%3A5668\"}\n224:{\"related\":\"$225\",\"self\":\"$226\"}\n21e:{\"data\":\"$21f\",\"links\":\"$224\"}\n22a:{\"drupal_internal__target_id\":41}\n229:{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":\"$22a\"}\n22c:{\"drupal_internal__target_id\":11}\n22b:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$22c\"}\n228:[\"$229\",\"$22b\"]\n22e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_topics?resourceVersion=id%3A5668\"}\n22f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_topics?resourceVersion=id%3A5668\"}\n22d:{\"related\":\"$22e\",\"self\":\"$22f\"}\n227:{\"data\":\"$228\",\"links\":\"$22d\"}\n1f1:{\"node_type\":\"$1f2\",\"revision_uid\":\"$1f8\",\"uid\":\"$1fe\",\"field_page_section\":\"$204\",\"field_related_collection\":\"$20b\",\"field_resource_type\":\"$218\",\"field_roles\":\"$21e\",\"field_topics\":\"$227\"}\n1ea:{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"links\":\"$1eb\",\"attributes\":\"$1ed\",\"relationships\":\"$1f1\"}\n232:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}\n231:{\"self\":\"$232\"}\n234:{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"}\n235:{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"}\n236:[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]\n233:{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$234\",\"rh_action\":null,\"rh_redirect\""])</script><script>self.__next_f.push([1,":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$235\",\"field_slack_channel\":\"$236\"}\n23a:{\"drupal_internal__target_id\":\"explainer\"}\n239:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$23a\"}\n23c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"}\n23d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}\n23b:{\"related\":\"$23c\",\"self\":\"$23d\"}\n238:{\"data\":\"$239\",\"links\":\"$23b\"}\n240:{\"drupal_internal__target_id\":6}\n23f:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$240\"}\n242:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/revision_uid?resourceVersion=id%3A5861\"}\n243:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}\n241:{\"related\":\"$242\",\"self\":\"$243\"}\n23e:{\"data\":\"$23f\",\"links\":\"$241\"}\n246:{\"drupal_internal__target_id\":26}\n245:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$246\"}\n248:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"}\n249:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}\n247:{\"related\":\"$248\",\"self\":\"$249\"}\n244:{\"data\":\"$245\",\"links\":\"$247\"}\n24d:{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}\n24c:{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":\"$24d\"}\n24f:{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}\n24e:{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":\"$24f\"}"])</script><script>self.__next_f.push([1,"\n251:{\"target_revision_id\":19171,\"drupal_internal__target_id\":2386}\n250:{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":\"$251\"}\n253:{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}\n252:{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":\"$253\"}\n24b:[\"$24c\",\"$24e\",\"$250\",\"$252\"]\n255:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"}\n256:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}\n254:{\"related\":\"$255\",\"self\":\"$256\"}\n24a:{\"data\":\"$24b\",\"links\":\"$254\"}\n25a:{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}\n259:{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":\"$25a\"}\n25c:{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}\n25b:{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":\"$25c\"}\n25e:{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}\n25d:{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":\"$25e\"}\n260:{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}\n25f:{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":\"$260\"}\n262:{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}\n261:{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":\"$262\"}\n264:{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}\n263:{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":\"$264\"}\n258:[\"$259\",\"$25b\",\"$25d\",\"$25f\",\"$261\",\"$263\"]\n266:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"}\n267:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/fiel"])</script><script>self.__next_f.push([1,"d_related_collection?resourceVersion=id%3A5861\"}\n265:{\"related\":\"$266\",\"self\":\"$267\"}\n257:{\"data\":\"$258\",\"links\":\"$265\"}\n26a:{\"drupal_internal__target_id\":131}\n269:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$26a\"}\n26c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"}\n26d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}\n26b:{\"related\":\"$26c\",\"self\":\"$26d\"}\n268:{\"data\":\"$269\",\"links\":\"$26b\"}\n271:{\"drupal_internal__target_id\":66}\n270:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$271\"}\n273:{\"drupal_internal__target_id\":61}\n272:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$273\"}\n275:{\"drupal_internal__target_id\":76}\n274:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$275\"}\n26f:[\"$270\",\"$272\",\"$274\"]\n277:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"}\n278:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}\n276:{\"related\":\"$277\",\"self\":\"$278\"}\n26e:{\"data\":\"$26f\",\"links\":\"$276\"}\n27c:{\"drupal_internal__target_id\":36}\n27b:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$27c\"}\n27e:{\"drupal_internal__target_id\":11}\n27d:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$27e\"}\n27a:[\"$27b\",\"$27d\"]\n280:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"}\n281:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_topics?resourceVersion=id%3A5861\"}\n27f:{\"related\":\"$280\",\"self\":\"$281\"}\n27"])</script><script>self.__next_f.push([1,"9:{\"data\":\"$27a\",\"links\":\"$27f\"}\n237:{\"node_type\":\"$238\",\"revision_uid\":\"$23e\",\"uid\":\"$244\",\"field_page_section\":\"$24a\",\"field_related_collection\":\"$257\",\"field_resource_type\":\"$268\",\"field_roles\":\"$26e\",\"field_topics\":\"$279\"}\n230:{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":\"$231\",\"attributes\":\"$233\",\"relationships\":\"$237\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"96fa2caf-c299-4fd4-9a0a-d6d86691328e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e?resourceVersion=id%3A5460\"}},\"attributes\":{\"drupal_internal__nid\":581,\"drupal_internal__vid\":5460,\"langcode\":\"en\",\"revision_timestamp\":\"2024-05-17T21:42:11+00:00\",\"status\":true,\"title\":\"Threat Modeling\",\"created\":\"2022-08-29T18:53:20+00:00\",\"changed\":\"2024-05-17T15:09:41+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/threat-modeling\",\"pid\":571,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ThreatModeling@cms.hhs.gov\",\"field_contact_name\":\"CMS Threat Modeling Team\",\"field_short_description\":{\"value\":\"Design practices that facilitate secure software development through organization and collaboration \",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eDesign practices that facilitate secure software development through organization and collaboration\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-threat-modeling\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/node_type?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/node_type?resourceVersion=id%3A5460\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"ee0c4536-bc99-4440-92eb-6256599174e5\",\"meta\":{\"drupal_internal__target_id\":100}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/revision_uid?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/revision_uid?resourceVersion=id%3A5460\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/uid?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/uid?resourceVersion=id%3A5460\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"72d40c3c-330d-4194-ad1e-c61c29f5a60d\",\"meta\":{\"target_revision_id\":17491,\"drupal_internal__target_id\":3306}},{\"type\":\"paragraph--page_section\",\"id\":\"b46cc06c-9584-4143-8dc1-4e95c87edf2b\",\"meta\":{\"target_revision_id\":17498,\"drupal_internal__target_id\":3313}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_page_section?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_page_section?resourceVersion=id%3A5460\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"362b0424-2e7e-47f8-9515-4e33c749a551\",\"meta\":{\"target_revision_id\":17499,\"drupal_internal__target_id\":3314}},{\"type\":\"paragraph--internal_link\",\"id\":\"de10201a-15bc-4af2-bde0-d2b2f67f3596\",\"meta\":{\"target_revision_id\":17500,\"drupal_internal__target_id\":3315}},{\"type\":\"paragraph--internal_link\",\"id\":\"ded08c1c-6476-43b1-a316-7c38a1746aa4\",\"meta\":{\"target_revision_id\":17501,\"drupal_internal__target_id\":3316}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_related_collection?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_related_collection?resourceVersion=id%3A5460\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_resource_type?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_resource_type?resourceVersion=id%3A5460\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_roles?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_roles?resourceVersion=id%3A5460\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/field_topics?resourceVersion=id%3A5460\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/96fa2caf-c299-4fd4-9a0a-d6d86691328e/relationships/field_topics?resourceVersion=id%3A5460\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"ee0c4536-bc99-4440-92eb-6256599174e5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/ee0c4536-bc99-4440-92eb-6256599174e5\"}},\"attributes\":{\"display_name\":\"mkania\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4?resourceVersion=id%3A121\"}},\"attributes\":{\"drupal_internal__tid\":121,\"drupal_internal__revision_id\":121,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:12+00:00\",\"status\":true,\"name\":\"Tools / Services\",\"description\":null,\"weight\":5,\"changed\":\"2023-06-14T19:04:09+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/vid?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/vid?resourceVersion=id%3A121\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/revision_user?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/revision_user?resourceVersion=id%3A121\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/parent?resourceVersion=id%3A121\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/9e907eeb-b0a8-4dd3-8818-37cb1557a8f4/relationships/parent?resourceVersion=id%3A121\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c?resourceVersion=id%3A41\"}},\"attributes\":{\"drupal_internal__tid\":41,\"drupal_internal__revision_id\":41,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:04+00:00\",\"status\":true,\"name\":\"Application Security\",\"description\":null,\"weight\":0,\"changed\":\"2022-09-28T21:04:30+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/vid?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/vid?resourceVersion=id%3A41\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/revision_user?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/revision_user?resourceVersion=id%3A41\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/parent?resourceVersion=id%3A41\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/34eaf3c8-5635-4a38-b8c3-7225aa196f4c/relationships/parent?resourceVersion=id%3A41\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5?resourceVersion=id%3A46\"}},\"attributes\":{\"drupal_internal__tid\":46,\"drupal_internal__revision_id\":46,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:06:13+00:00\",\"status\":true,\"name\":\"Security Operations\",\"description\":null,\"weight\":6,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/vid?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/vid?resourceVersion=id%3A46\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/revision_user?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/revision_user?resourceVersion=id%3A46\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/parent?resourceVersion=id%3A46\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0534f7e2-9894-488d-a526-3c0255df2ad5/relationships/parent?resourceVersion=id%3A46\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"72d40c3c-330d-4194-ad1e-c61c29f5a60d\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d?resourceVersion=id%3A17491\"}},\"attributes\":{\"drupal_internal__id\":3306,\"drupal_internal__revision_id\":17491,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:25:55+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d/paragraph_type?resourceVersion=id%3A17491\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d/relationships/paragraph_type?resourceVersion=id%3A17491\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--call_out_box\",\"id\":\"25f6f306-3012-46b5-a0ae-946e0b21d364\",\"meta\":{\"target_revision_id\":17490,\"drupal_internal__target_id\":3307}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d/field_specialty_item?resourceVersion=id%3A17491\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/72d40c3c-330d-4194-ad1e-c61c29f5a60d/relationships/field_specialty_item?resourceVersion=id%3A17491\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"b46cc06c-9584-4143-8dc1-4e95c87edf2b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b?resourceVersion=id%3A17498\"}},\"attributes\":{\"drupal_internal__id\":3313,\"drupal_internal__revision_id\":17498,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:33:16+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b/paragraph_type?resourceVersion=id%3A17498\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b/relationships/paragraph_type?resourceVersion=id%3A17498\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"b320f281-cb7a-481f-966a-4d51a53dc8e8\",\"meta\":{\"target_revision_id\":17497,\"drupal_internal__target_id\":3312}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b/field_specialty_item?resourceVersion=id%3A17498\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/b46cc06c-9584-4143-8dc1-4e95c87edf2b/relationships/field_specialty_item?resourceVersion=id%3A17498\"}}}}},{\"type\":\"paragraph--call_out_box\",\"id\":\"25f6f306-3012-46b5-a0ae-946e0b21d364\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/25f6f306-3012-46b5-a0ae-946e0b21d364?resourceVersion=id%3A17490\"}},\"attributes\":{\"drupal_internal__id\":3307,\"drupal_internal__revision_id\":17490,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:32:39+00:00\",\"parent_id\":\"3306\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_call_out_link\":{\"uri\":\"entity:node/1119\",\"title\":\"\",\"options\":[],\"url\":\"/policy-guidance/threat-modeling-handbook\"},\"field_call_out_link_text\":\"Take me to the handbook!\",\"field_call_out_text\":{\"value\":\"Learn more about the process by reading the CMS Threat Modeling Handbook.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eLearn more about the process by reading the CMS Threat Modeling Handbook.\u003c/p\u003e\\n\"},\"field_header\":\"Want to dive into Threat Modeling? \"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"a1d0a205-c6c9-4816-b701-4763d05de8e8\",\"meta\":{\"drupal_internal__target_id\":\"call_out_box\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/25f6f306-3012-46b5-a0ae-946e0b21d364/paragraph_type?resourceVersion=id%3A17490\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/call_out_box/25f6f306-3012-46b5-a0ae-946e0b21d364/relationships/paragraph_type?resourceVersion=id%3A17490\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"b320f281-cb7a-481f-966a-4d51a53dc8e8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8?resourceVersion=id%3A17497\"}},\"attributes\":{\"drupal_internal__id\":3312,\"drupal_internal__revision_id\":17497,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:33:43+00:00\",\"parent_id\":\"3313\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8/paragraph_type?resourceVersion=id%3A17497\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8/relationships/paragraph_type?resourceVersion=id%3A17497\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"70b61f4c-86e3-4a9f-9ab5-6c3871466b51\",\"meta\":{\"target_revision_id\":17492,\"drupal_internal__target_id\":3308}},{\"type\":\"paragraph--process_list_item\",\"id\":\"74c18b2f-cb19-43e5-9bf3-7dc782cfce6f\",\"meta\":{\"target_revision_id\":17493,\"drupal_internal__target_id\":3309}},{\"type\":\"paragraph--process_list_item\",\"id\":\"4aab4392-1868-4bd1-b6e0-7239f942ddeb\",\"meta\":{\"target_revision_id\":17494,\"drupal_internal__target_id\":3310}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8e9bf5b1-29af-427d-ab12-8e7ca165467e\",\"meta\":{\"target_revision_id\":17495,\"drupal_internal__target_id\":3311}},{\"type\":\"paragraph--process_list_item\",\"id\":\"7f36d59c-9bdf-40de-a387-9395b6e9d85a\",\"meta\":{\"target_revision_id\":17496,\"drupal_internal__target_id\":3486}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8/field_process_list_item?resourceVersion=id%3A17497\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b320f281-cb7a-481f-966a-4d51a53dc8e8/relationships/field_process_list_item?resourceVersion=id%3A17497\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"70b61f4c-86e3-4a9f-9ab5-6c3871466b51\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/70b61f4c-86e3-4a9f-9ab5-6c3871466b51?resourceVersion=id%3A17492\"}},\"attributes\":{\"drupal_internal__id\":3308,\"drupal_internal__revision_id\":17492,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:33:43+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eLearn about the process of threat modeling to decide when the right time is to engage with the\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u0026nbsp;\u003c/strong\u003ebased on your systems current compliance and authorization schedule.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eLearn about the process of threat modeling to decide when the right time is to engage with the\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u0026nbsp;\u003c/strong\u003ebased on your systems current compliance and authorization schedule.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\"},\"field_list_item_title\":\"Read the Threat Modeling Handbook \"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/70b61f4c-86e3-4a9f-9ab5-6c3871466b51/paragraph_type?resourceVersion=id%3A17492\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/70b61f4c-86e3-4a9f-9ab5-6c3871466b51/relationships/paragraph_type?resourceVersion=id%3A17492\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"74c18b2f-cb19-43e5-9bf3-7dc782cfce6f\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/74c18b2f-cb19-43e5-9bf3-7dc782cfce6f?resourceVersion=id%3A17493\"}},\"attributes\":{\"drupal_internal__id\":3309,\"drupal_internal__revision_id\":17493,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:34:01+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003ePlease complete the\u0026nbsp;\u003ca href=\\\"https://forms.office.com/g/3jfhwGyHdQ\\\"\u003eThreat Modeling Intake Form\u003c/a\u003e. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will use the answers you provide in this questionnaire to help inform future planning sessions.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003ePlease complete the\u0026nbsp;\u003ca href=\\\"https://forms.office.com/g/3jfhwGyHdQ\\\"\u003eThreat Modeling Intake Form\u003c/a\u003e. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will use the answers you provide in this questionnaire to help inform future planning sessions.\u003c/p\u003e\"},\"field_list_item_title\":\"Fill out the Threat Modeling intake form\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/74c18b2f-cb19-43e5-9bf3-7dc782cfce6f/paragraph_type?resourceVersion=id%3A17493\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/74c18b2f-cb19-43e5-9bf3-7dc782cfce6f/relationships/paragraph_type?resourceVersion=id%3A17493\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"4aab4392-1868-4bd1-b6e0-7239f942ddeb\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4aab4392-1868-4bd1-b6e0-7239f942ddeb?resourceVersion=id%3A17494\"}},\"attributes\":{\"drupal_internal__id\":3310,\"drupal_internal__revision_id\":17494,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:34:20+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eTo start things off, facilitators from the\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will meet with the system/business owner, ISSO, and up to 2 senior developers to talk about the process, time commitment, and outputs expected in future threat model sessions. This meeting takes about 30 minutes.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eTo start things off, facilitators from the\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling Team\u003c/strong\u003e will meet with the system/business owner, ISSO, and up to 2 senior developers to talk about the process, time commitment, and outputs expected in future threat model sessions. This meeting takes about 30 minutes.\u003c/p\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e\"},\"field_list_item_title\":\"Meet with the CMS Threat Modeling Team\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4aab4392-1868-4bd1-b6e0-7239f942ddeb/paragraph_type?resourceVersion=id%3A17494\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/4aab4392-1868-4bd1-b6e0-7239f942ddeb/relationships/paragraph_type?resourceVersion=id%3A17494\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"8e9bf5b1-29af-427d-ab12-8e7ca165467e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8e9bf5b1-29af-427d-ab12-8e7ca165467e?resourceVersion=id%3A17495\"}},\"attributes\":{\"drupal_internal__id\":3311,\"drupal_internal__revision_id\":17495,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:34:39+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eDepending on the complexity of your system or application, you can expect to have two to three threat modeling sessions in total. Each one to two-hour session will focus on walking through a\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/display/CTM/Getting+Started+with+Threat+Modeling#GettingStartedwithThreatModeling-STRIDEThreatModelingMethodology\\\"\u003eData Flow Diagram (DFD)\u003c/a\u003e, identifying threats using STRIDE or other methods, and determining mitigations or countermeasures to the identified threats. We will work with you to determine if the recommended mitigations are in place or if they need to be implemented in the near future. We may also help you determine the level of risk to your system based on the potential impact of identified vulnerabilities.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eDepending on the complexity of your system or application, you can expect to have two to three threat modeling sessions in total. Each one to two-hour session will focus on walking through a\u0026nbsp;\u003ca href=\\\"https://confluenceent.cms.gov/display/CTM/Getting+Started+with+Threat+Modeling#GettingStartedwithThreatModeling-STRIDEThreatModelingMethodology\\\"\u003eData Flow Diagram (DFD)\u003c/a\u003e, identifying threats using STRIDE or other methods, and determining mitigations or countermeasures to the identified threats. We will work with you to determine if the recommended mitigations are in place or if they need to be implemented in the near future. We may also help you determine the level of risk to your system based on the potential impact of identified vulnerabilities.\u003c/p\u003e\"},\"field_list_item_title\":\"Complete Threat Modeling sessions\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8e9bf5b1-29af-427d-ab12-8e7ca165467e/paragraph_type?resourceVersion=id%3A17495\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/8e9bf5b1-29af-427d-ab12-8e7ca165467e/relationships/paragraph_type?resourceVersion=id%3A17495\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"7f36d59c-9bdf-40de-a387-9395b6e9d85a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7f36d59c-9bdf-40de-a387-9395b6e9d85a?resourceVersion=id%3A17496\"}},\"attributes\":{\"drupal_internal__id\":3486,\"drupal_internal__revision_id\":17496,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-12-18T21:16:38+00:00\",\"parent_id\":\"3312\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eLike other cybersecurity practices, threat modeling is most effective as an ongoing process for securing your system. Every application is unique, but we recommend reviewing and updating your threat model(s) at least annually, or as part of your change management process. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling team\u003c/strong\u003e can help you design a schedule that makes the most sense for you and your system.\u003c/p\u003e\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eLike other cybersecurity practices, threat modeling is most effective as an ongoing process for securing your system. Every application is unique, but we recommend reviewing and updating your threat model(s) at least annually, or as part of your change management process. The\u0026nbsp;\u003cstrong\u003eCMS Threat Modeling team\u003c/strong\u003e can help you design a schedule that makes the most sense for you and your system.\u003c/p\u003e\"},\"field_list_item_title\":\"Ongoing Threat Modeling\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7f36d59c-9bdf-40de-a387-9395b6e9d85a/paragraph_type?resourceVersion=id%3A17496\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/7f36d59c-9bdf-40de-a387-9395b6e9d85a/relationships/paragraph_type?resourceVersion=id%3A17496\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"362b0424-2e7e-47f8-9515-4e33c749a551\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551?resourceVersion=id%3A17499\"}},\"attributes\":{\"drupal_internal__id\":3314,\"drupal_internal__revision_id\":17499,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:35:06+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551/paragraph_type?resourceVersion=id%3A17499\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551/relationships/paragraph_type?resourceVersion=id%3A17499\"}}},\"field_link\":{\"data\":{\"type\":\"node--library\",\"id\":\"d2252bee-8a5a-4d56-baba-a0ac106cd2cf\",\"meta\":{\"drupal_internal__target_id\":1119}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551/field_link?resourceVersion=id%3A17499\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/362b0424-2e7e-47f8-9515-4e33c749a551/relationships/field_link?resourceVersion=id%3A17499\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"de10201a-15bc-4af2-bde0-d2b2f67f3596\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596?resourceVersion=id%3A17500\"}},\"attributes\":{\"drupal_internal__id\":3315,\"drupal_internal__revision_id\":17500,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:35:12+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596/paragraph_type?resourceVersion=id%3A17500\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596/relationships/paragraph_type?resourceVersion=id%3A17500\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"meta\":{\"drupal_internal__target_id\":246}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596/field_link?resourceVersion=id%3A17500\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/de10201a-15bc-4af2-bde0-d2b2f67f3596/relationships/field_link?resourceVersion=id%3A17500\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"ded08c1c-6476-43b1-a316-7c38a1746aa4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4?resourceVersion=id%3A17501\"}},\"attributes\":{\"drupal_internal__id\":3316,\"drupal_internal__revision_id\":17501,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-16T16:35:22+00:00\",\"parent_id\":\"581\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4/paragraph_type?resourceVersion=id%3A17501\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4/relationships/paragraph_type?resourceVersion=id%3A17501\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"meta\":{\"drupal_internal__target_id\":771}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4/field_link?resourceVersion=id%3A17501\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/ded08c1c-6476-43b1-a316-7c38a1746aa4/relationships/field_link?resourceVersion=id%3A17501\"}}}}},{\"type\":\"node--library\",\"id\":\"d2252bee-8a5a-4d56-baba-a0ac106cd2cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf?resourceVersion=id%3A6216\"}},\"attributes\":{\"drupal_internal__nid\":1119,\"drupal_internal__vid\":6216,\"langcode\":\"en\",\"revision_timestamp\":\"2025-01-22T17:50:38+00:00\",\"status\":true,\"title\":\"CMS Threat Modeling Handbook\",\"created\":\"2023-06-16T16:27:11+00:00\",\"changed\":\"2025-01-22T17:50:38+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/threat-modeling-handbook\",\"pid\":974,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$1c\",\"format\":\"body_text\",\"processed\":\"$1d\",\"summary\":\"\"},\"field_contact_email\":\"ThreatModeling@cms.hhs.gov\",\"field_contact_name\":\"CMS Threat Modeling Team\",\"field_last_reviewed\":\"2024-02-21\",\"field_related_resources\":[],\"field_short_description\":{\"value\":\"Information and resources for teams to help them initiate and complete their system threat model\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eInformation and resources for teams to help them initiate and complete their system threat model\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/node_type?resourceVersion=id%3A6216\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/node_type?resourceVersion=id%3A6216\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/revision_uid?resourceVersion=id%3A6216\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/revision_uid?resourceVersion=id%3A6216\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/uid?resourceVersion=id%3A6216\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/uid?resourceVersion=id%3A6216\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"e3394b9a-cbff-4bad-b68e-c6fad326132e\",\"meta\":{\"drupal_internal__target_id\":91}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/field_resource_type?resourceVersion=id%3A6216\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/field_resource_type?resourceVersion=id%3A6216\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/field_roles?resourceVersion=id%3A6216\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/field_roles?resourceVersion=id%3A6216\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/field_topics?resourceVersion=id%3A6216\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/d2252bee-8a5a-4d56-baba-a0ac106cd2cf/relationships/field_topics?resourceVersion=id%3A6216\"}}}}},{\"type\":\"node--explainer\",\"id\":\"42018625-2456-415e-bd2c-f1c061290d58\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58?resourceVersion=id%3A5668\"}},\"attributes\":{\"drupal_internal__nid\":246,\"drupal_internal__vid\":5668,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-12T15:23:53+00:00\",\"status\":true,\"title\":\"CMS Cloud Services\",\"created\":\"2022-08-26T14:47:12+00:00\",\"changed\":\"2024-07-12T15:23:53+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-cloud-services\",\"pid\":236,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cloudsupport@cms.hhs.gov\",\"field_contact_name\":\"CMS Cloud Support\",\"field_short_description\":{\"value\":\"Platform-As-A-Service with tools, security, and support services designed specifically for CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003ePlatform-As-A-Service with tools, security, and support services designed specifically for CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-cloud-security-forum\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/node_type?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/node_type?resourceVersion=id%3A5668\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/revision_uid?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/revision_uid?resourceVersion=id%3A5668\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/uid?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/uid?resourceVersion=id%3A5668\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"15f8e7ab-00f6-4c17-b433-659267271131\",\"meta\":{\"target_revision_id\":18519,\"drupal_internal__target_id\":1371}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_page_section?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_page_section?resourceVersion=id%3A5668\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"b48e2348-59b0-42a6-9f44-62af8a94ddf1\",\"meta\":{\"target_revision_id\":18520,\"drupal_internal__target_id\":1376}},{\"type\":\"paragraph--internal_link\",\"id\":\"17ea04ed-0987-43ea-b494-7c051ddfcd28\",\"meta\":{\"target_revision_id\":18521,\"drupal_internal__target_id\":1381}},{\"type\":\"paragraph--internal_link\",\"id\":\"ae49a5b4-3922-4f8d-bbe5-624b243b4637\",\"meta\":{\"target_revision_id\":18522,\"drupal_internal__target_id\":1391}},{\"type\":\"paragraph--internal_link\",\"id\":\"3ebbf63a-35a8-4c15-8002-2b41f7ef528a\",\"meta\":{\"target_revision_id\":18523,\"drupal_internal__target_id\":1396}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_related_collection?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_related_collection?resourceVersion=id%3A5668\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_resource_type?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_resource_type?resourceVersion=id%3A5668\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_roles?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_roles?resourceVersion=id%3A5668\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\",\"meta\":{\"drupal_internal__target_id\":41}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/field_topics?resourceVersion=id%3A5668\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/42018625-2456-415e-bd2c-f1c061290d58/relationships/field_topics?resourceVersion=id%3A5668\"}}}}},{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}},\"attributes\":{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/revision_uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}},{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}},{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":{\"target_revision_id\":19171,\"drupal_internal__target_id\":2386}},{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}},{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}},{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}},{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}},{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}},{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_related_collection?resourceVersion=id%3A5861\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_topics?resourceVersion=id%3A5861\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1e\",\"ee0c4536-bc99-4440-92eb-6256599174e5\":\"$28\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2c\",\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\":\"$30\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$4a\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$64\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7e\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$98\",\"34eaf3c8-5635-4a38-b8c3-7225aa196f4c\":\"$b2\",\"0534f7e2-9894-488d-a526-3c0255df2ad5\":\"$cc\",\"72d40c3c-330d-4194-ad1e-c61c29f5a60d\":\"$e6\",\"b46cc06c-9584-4143-8dc1-4e95c87edf2b\":\"$fb\",\"25f6f306-3012-46b5-a0ae-946e0b21d364\":\"$110\",\"b320f281-cb7a-481f-966a-4d51a53dc8e8\":\"$11f\",\"70b61f4c-86e3-4a9f-9ab5-6c3871466b51\":\"$13a\",\"74c18b2f-cb19-43e5-9bf3-7dc782cfce6f\":\"$147\",\"4aab4392-1868-4bd1-b6e0-7239f942ddeb\":\"$154\",\"8e9bf5b1-29af-427d-ab12-8e7ca165467e\":\"$161\",\"7f36d59c-9bdf-40de-a387-9395b6e9d85a\":\"$16e\",\"362b0424-2e7e-47f8-9515-4e33c749a551\":\"$17b\",\"de10201a-15bc-4af2-bde0-d2b2f67f3596\":\"$18d\",\"ded08c1c-6476-43b1-a316-7c38a1746aa4\":\"$19f\",\"d2252bee-8a5a-4d56-baba-a0ac106cd2cf\":\"$1b1\",\"42018625-2456-415e-bd2c-f1c061290d58\":\"$1ea\",\"dfeef1d1-c536-4496-97ad-5488a965a6cf\":\"$230\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Threat Modeling | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Design practices that facilitate secure software development through organization and collaboration \"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/threat-modeling\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Threat Modeling | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Design practices that facilitate secure software development through organization and collaboration \"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/threat-modeling\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/threat-modeling/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Threat Modeling | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Design practices that facilitate secure software development through organization and collaboration \"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/threat-modeling/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink