Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-154 (Initial Public Draft)

Guide to Data-Centric System Threat Modeling

Date Published: March 2016
Comments Due: April 15, 2016 (public comment period is CLOSED)
Email Questions to:


Murugiah Souppaya (NIST), Karen Scarfone (Scarfone Cybersecurity)


NIST requests public comments on draft Special Publication (SP) 800-154, Guide to Data-Centric System Threat Modeling. Data-centric system threat modeling is a form of risk assessment that models aspects of the attack and defense sides for selected data within a system. Draft SP 800-154 provides information on the basics of data-centric system threat modeling so that organizations can use it as part of their risk management processes instead of relying solely on conventional "best practice" recommendations.



information security; risk assessment; risk management; threat modeling; threats; data security; vulnerabilities
Control Families

Assessment, Authorization and Monitoring; Program Management; Risk Assessment


Draft SP 800-154 (pdf)

Supplemental Material:
Comment Template (xlsx)

Document History:
03/14/16: SP 800-154 (Draft)