CIS Control 16.14: Conduct Threat Modeling
Threat modeling is a structured approach to identifying and mitigating security risks before they reach production. CIS Control 16.14 requires organizations to use repeatable processes across the full software development lifecycle—from design through maintenance—to systematically identify threats, vulnerabilities, and effective countermeasures.
What this means
This control mandates that your organization establish a formal, repeatable threat modeling process applicable to every application. The process must identify and rate threats, attacks, vulnerabilities, and countermeasures. Critically, threat models must be reviewed and updated at each phase: pre-design, design, development, deployment, and maintenance. This ensures security considerations evolve with your software and remain current as threats change.
How to comply
- 1.Define a standard threat modeling methodology (e.g., STRIDE, PASTA, or attack trees) and document it in your secure development policy
- 2.Integrate threat modeling into your pre-design phase to identify risks before architecture decisions are finalized
- 3.Conduct formal threat modeling during design and development phases, documenting threats, vulnerabilities, and assigned mitigations
- 4.Review and update threat models before deployment to account for configuration, third-party dependencies, and environmental risks
- 5.Establish a maintenance schedule to refresh threat models during major software updates, security patches, or when new vulnerabilities emerge
- 6.Track all identified threats and their mitigation status in a centralized log or repository
- 7.Train development teams on threat modeling techniques and your organization's specific process
Evidence auditors look for
- Documented threat modeling methodology with defined roles, responsibilities, and review cadence
- Completed threat model artifacts for active applications (diagrams, threat matrices, or analysis reports)
- Evidence of threat model reviews at each SDLC phase with approval and sign-off
- Maintenance logs showing threat model updates following security patches or major releases
- Training records confirming development team participation in threat modeling sessions
- Risk registers linking identified threats to implemented or planned countermeasures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates threat model tracking and SDLC phase evidence collection, so your team can document and maintain compliant threat models across all applications without manual spreadsheets.
See how GRCWatch handles this control automatically
Start free trial