SA-11.2: Threat Modeling and Vulnerability Analyses

An OSCAL Control

- organization-defined breadth and depth of modeling and analyses
- organization-defined acceptance criteria
- information
  information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;
- tools and methods
  the tools and methods to be employed for threat modeling and vulnerability analyses are defined;
- breadth and depth
  the breadth and depth of threat modeling to be conducted is defined;
- breadth and depth
  the breadth and depth of vulnerability analyses to be conducted is defined;
- acceptance criteria
  acceptance criteria to be met by produced evidence for threat modeling are defined;
- acceptance criteria
  acceptance criteria to be met by produced evidence for vulnerability analyses are defined;