An effective threat assessment is the foundation of any successful CUI program. It allows organizations to focus their resources on the most relevant risks rather than attempting to guard against every possible scenario. I’ll introduce a structured approach to identifying likely threat actors, evaluating their intent, capabilities, and opportunities, and aligning defensive measures accordingly.

Our goal is to create a layered strategy that not only addresses compliance but also strengthens resilience against real-world attacks. When you finish, you’ll have a threat model for your CUI environment that ensures you expend time, effort, and money toward a relevant and realistic strategy. This makes your security posture both compliant and strategically effective.

Threat Modeling

Cyber threat modeling is the structured process of identifying, analyzing, and prioritizing potential threats to your personnel, systems, data, and operations. It helps you understand how attackers might exploit weaknesses, which assets are most at risk, and what defensive measures are most effective.

Since our threat model is designed around protecting data that is largely available on the public Internet, it doesn’t have to be complicated. The value of a TSP’s data comes from its volume, not its content. When a military service member is conducting a PCS move, I can probably find out where they are going and when by simply following their social media. However, a threat actor might be interested in targeting your organization because they can get the same information on hundreds of service members at the same time.

Key elements of cyber threat modeling include:

  1. Threat Actor Analysis - Identify potential adversaries, such as criminal groups, state-sponsored actors, ransomware operators, or insider threats.

  2. Threat Scenario Modeling - Use the ICO framework to evaluate the Intent, Capabilities, and Opportunities of your chosen threat actors to target your organization. Consider specific tactics, techniques, and procedures (TTPs) relevant to the threat actors you’ve identified.

  3. Risk Scoring and Prioritization - Evaluate threats based on likelihood and impact. Methods like the ICO scoring matrix help quantify risk.

  4. Mitigation and Validation - Align security controls (e.g., NIST SP 800-171 requirements) to the modeled threats. Conduct penetration tests and tabletop exercises to validate that the controls address the most significant risks.

Threat Actor Analysis

Certain sectors are high-value targets. Because TSPs operate as part of the defense industrial base, they are inherently more likely to be targeted by threat actors. The size of your company also plays a major role in how likely you are to be targeted. Larger companies with large volumes of information attract more attention. Finally, a larger technology footprint also makes your a more attractive target.

Determining what threat actors are likely to target your organization is somewhat subjective, but basing it on the size of your organization and size of your technology footprint is a good starting point. The following table lists some threat actors that are likely to target your organization. The larger your footprint, the more likely you are to become a target.

Threat Actor Type Primary Motivation Typical Targets Examples
Nation-State Political/Economic Espionage Government, Defense, Critical Infrastructure APT groups
Criminal Organizations Financial Gain E-commerce, Financial Services, Retail Ransomware groups
Hacktivists Ideology/Political Message Companies with controversial policies Anonymous, LulzSec
Insider Threats Malice/Greed Any organization Disgruntled employees
Script Kiddies Challenge/Recognition Easy targets, vulnerable systems Basic malware deployers

Threat Scenario Modeling

Once you have determined the size of your footprint and what types of threat actors are likely to target your organization, you’ll need to determine how an attack is likely to take place. This can be as simple as an Internet search of recent attacks. Research what organizations were attacked, what information was targeted, what types of systems were targeted, and how they got in. With the answers to those questions in hand, you can make some safe assumptions based on the historical context.

Risk Scoring and Prioritization

Next, we use our list of threat actors and knowledge of successful attacks from the past to inform our answers to the ICO matrix. As previously mentioned, the ICO framework consists of Intent, Capability, and Opportunity.

That is:

  • Do they want your data? (Intent)
  • Can they get it? (Capability)
  • Is your environment accessible to them? (Opportunity)

Score ICO by answering each of the five yes or no questions in each category for each actor. Add up the yes answers in each category and multiply them together to get your score. A score of 0 in any category results in a total of 0 for that actor. This is by design. If a threat actor has zero intent, zero capability, or zero opportunity, the risk is effectively negligible regardless of the other factors.

A high Intent score with low Opportunity means your controls are working but the threat remains — maintain vigilance.

A low Intent score with high Opportunity means you’re exposed but not currently targeted — still worth remediating since intent can change rapidly.

Let’s look at the questions in each category and then look at a scoring example.

Intent (Do they want your data?)

  1. Does this actor target your sector/industry?
  2. Does this actor historically target your CUI category?
  3. Do current geopolitical conditions, economic sanctions, military tensions, or policy actions increase this actor’s motivation to target data of the type your organization holds?
  4. Has this actor targeted your organization, its parent company, or any of its direct partners, vendors, or subcontractors in a known previous campaign?
  5. Would successfully compromising your CUI provide this threat actor with a meaningful advantage (e.g., military, economic, intelligence, financial, or political gain) relative to the effort required?

Capability (Can they get it?)

  1. Does this actor have a demonstrated ability to develop or acquire custom tools, zero-day exploits, or novel attack techniques beyond widely available commodity tools?
  2. Has this actor demonstrated the ability to maintain persistent, long-term access within compromised environments (weeks, months, or longer) while evading detection?
  3. Does this threat actor have sufficient organizational resources (funding, personnel, infrastructure) to conduct sustained or simultaneous campaigns against multiple targets?
  4. Has this actor demonstrated the ability to successfully compromise organizations with security maturity comparable to or greater than your own?
  5. Does this actor have a demonstrated ability to adapt its tactics, techniques, and procedures in response to defensive measures, public reporting, or infrastructure takedowns?

Opportunity (Is your environment accessible to them?)

  1. Does your organization operate internet-facing systems, services, or applications (e.g., VPNs, web portals, email gateways, cloud services) that fall within the scope of technologies this threat actor is known to exploit?
  2. Does your organization use software, hardware, or platforms (including operating systems, network devices, and third-party applications) for which this threat actor has demonstrated exploits or known targeting activity?
  3. Does your organization have supply chain relationships, managed service providers, cloud vendors, or contractor connections that this actor could leverage as an indirect access vector?
  4. Does your organization have personnel in roles (e.g., executives, system administrators, CUI data handlers, contracting officers) that would be viable targets for social engineering, spear-phishing, or recruitment by this threat actor?
  5. Does your organization have identified gaps, deficiencies, or POA&M items in its security controls (e.g., incomplete MFA deployment, unpatched systems, insufficient network segmentation, lack of EDR) that align with techniques this actor is known to exploit?

Scoring Example

Threat Actor I C O Score
Nation-State 0 2 3 0 x 2 x 3 = 0
Criminal Organizations 2 4 4 32
Hacktivists 2 5 3 30
Insider Threats 3 3 3 27
Script Kiddies 3 2 1 6

Based on our analysis, Criminal Organizations are the top threat, followed by Hacktivists, and finally, Insider Threats.

Mitigation and Validation

Once you have identified your threats, you need to actually implement controls that will deter and prevent them from attempting an attack. However, before deploying the controls, you need to validate that they will actually work. You can do this through penetration tests of a simulated environment or through tabletop exercises.

Penetration tests can be expensive, time consuming, and generally require a third party for quality results. I strongly recommend a penetration test if you have a large volume of data that is spread across a large, publicly exposed technology footprint. It’s really the only way to know with some level of certainty that your environment is protected.

Tabletop exercises can go a long way toward informing the effectiveness of your controls. Here’s a practical, step-by-step approach:

  1. Select a high-impact risk from the list of threat actors you’ve developed. For example, a ransomeware attack on a critical system.
  2. With your team of decision makers, choose a realistic trigger for your environment (e.g., phishing email, breached account, unusual network traffic).
  3. Hold an open discussion that progresses through your incident response processes (e.g. initial detection → investigation → containment → documentation).
  4. Review and document all of your decision points where your teams were forced to choose a particular action (e.g. At time T+15min: Contain or investigate further? At time T+20min: What key leaders should be notified? At time T+30min: Engage external experts?).

At the conclusion of the tabletop exercise, analyze the results and validate your controls:

Document What Happened

  • Actions Taken: What did each team member do?
  • Decisions Made: Why were these choices made?
  • Effectiveness: Did actions align with documented controls?
  • Gaps Identified: Where did processes break down?

Validate Controls

  • Control Effectiveness: Did existing controls work as intended?
  • Control Gaps: What additional controls are needed?
  • Process Issues: Were there bottlenecks or communication failures?

Finally, use your results to create a Plan of Action & Milestones (POA&M) to modify and/or improve your existing controls and implement new controls.

Key Success Factors

  1. Realism: Scenarios should mirror actual risks your organization faces.
  2. Participation: Include all relevant stakeholders and encourage lively discussion.
  3. Psychological Safety: All participants should feel safe to make mistakes.
  4. Focus on Learning: The goal is improvement, not blame.
  5. Follow-through: Implement the action plan from each exercise.

By following this approach, you’ll be able to effectively develop a realistic threat assessment, and validate that your security controls address your most significant risks through practical, actionable tabletop exercises.