# TLCTC Threat Identification Tool ## Documentation & JSON Specification **Version:** 2.1.0 **Date:** January 2025 **Framework:** Top Level Cyber Threat Clusters (TLCTC) v2.0 --- ## Table of Contents 1. [Overview](#1-overview) 2. [Core Concepts](#2-core-concepts) 3. [Application Features](#3-application-features) 4. [User Interface Guide](#4-user-interface-guide) 5. [JSON Schema Specification](#5-json-schema-specification) 6. [Threat Assignment Rules](#6-threat-assignment-rules) 7. [Creating Models from Architecture Documentation](#7-creating-models-from-architecture-documentation) 8. [Examples](#8-examples) 9. [Integration with TLCTC Framework](#9-integration-with-tlctc-framework) --- ## 1. Overview ### 1.1 Purpose The TLCTC Threat Identification Tool is a visual threat modeling application designed to: - Model software architectures as components and interfaces - Identify applicable TLCTC threat clusters for each element - Track threat status (Identified, Mitigated, Accepted) - Document control references for mitigated threats - Export structured JSON for integration with security workflows ### 1.2 Key Design Principle **Threats apply to their correct architectural element:** | Element Type | Applicable Threats | Rationale | |--------------|-------------------|-----------| | **Components** | #1-#4, #6-#10 | Vulnerabilities exist within systems, applications, and actors | | **Network Interfaces** | #5 only | Man-in-the-Middle applies exclusively to communication channels | | **Internal Interfaces** | None (default) | In-process calls have no network exposure | This separation follows TLCTC's cause-based classification: threats are assigned where the **generic vulnerability** exists, not where consequences manifest. ### 1.3 Relationship to TLCTC Whitepaper This tool implements the TLCTC v2.0 framework concepts: - **10 Strategic Clusters** (#1-#10) - **Velocity Classes** (VC-1 to VC-4) - **Responsibility Spheres** (@Org, @Vendor, @User, etc.) - **Bridge vs Internal Clusters** topology - **Control mapping** via cause-based identification Refer to the TLCTC Whitepaper for theoretical foundations, axioms, and classification rules. --- ## 2. Core Concepts ### 2.1 TLCTC Cluster Reference | ID | Name | Short | Description | Topology | |----|------|-------|-------------|----------| | #1 | Abuse of Functions | AoF | Designed capabilities misused | Internal | | #2 | Exploiting Server | ExS | Server-side code/config flaws | Internal | | #3 | Exploiting Client | ExC | Client-side code flaws | Internal | | #4 | Identity Theft | IdT | Credential/session compromise | Internal | | #5 | Man in the Middle | MitM | Communication interception | Internal | | #6 | Flooding Attack | Flood | Resource exhaustion | Internal | | #7 | Malware | Mal | Malicious code execution | Internal | | #8 | Physical Attack | Phys | Physical access exploitation | Bridge | | #9 | Social Engineering | SE | Human manipulation | Bridge | | #10 | Supply Chain | SC | Third-party trust exploitation | Bridge | ### 2.2 Velocity Classes | Class | Name | Time Range | Control Implications | |-------|------|------------|---------------------| | VC-1 | Strategic | Days to Months | Governance, vendor management | | VC-2 | Tactical | Hours | Incident response, monitoring | | VC-3 | Operational | Minutes | Automated detection, WAF | | VC-4 | Real-Time | Seconds | Inline controls, rate limiting | ### 2.3 Element Types #### Groups (Containers) Logical groupings representing deployment boundaries: - Servers, VMs, Containers, K8s Pods - Network zones (DMZ, Internal, External) - Trust boundaries #### Components Individual system elements with associated threats: - Applications, APIs, Services - Databases, Caches, Queues - Libraries, Runtimes - Users, Clients #### Interfaces Connections between components: - **Network**: Cross-boundary communication (applies #5) - **Internal**: In-process calls (no default threats) ### 2.4 Responsibility Spheres | Sphere | Description | |--------|-------------| | @Org | Your organization's responsibility | | @Vendor | Software/service vendor | | @Supplier | Supply chain partner | | @CloudProvider | Cloud infrastructure provider | | @MSP | Managed service provider | | @Partner | Business partner | | @Customer | Customer organization | | @User | End user | --- ## 3. Application Features ### 3.1 Visual Modeling - **Drag-and-drop** component placement - **Group containers** for logical boundaries - **Interface drawing** between components - **Visual threat indicators** (badges showing threat counts) - **Cluster filtering** to highlight specific threat types ### 3.2 Threat Management - **Auto-suggestion** of threats based on component type - **Manual addition/removal** of threat clusters - **Status tracking**: Identified → Mitigated → Accepted - **Velocity class** assignment - **Residual risk** rating (Critical/High/Medium/Low) - **Control reference URLs** for mitigated threats - **Notes field** for context and control descriptions ### 3.3 Threat Register - Consolidated view of all threats - Filterable by status, cluster, risk level - Shows both component and interface threats - Displays control documentation links - Export capability ### 3.4 Import/Export - **JSON**: Full model data for automation/integration - **PNG**: High-resolution raster for reports - **SVG**: Vector format for editing --- ## 4. User Interface Guide ### 4.1 Layout ``` ┌─────────────────────────────────────────────────────────────────┐ │ Header: Project Name | Import | Export | Settings | Register │ ├─────────┬───────────────────────────────────────┬───────────────┤ │ Left │ │ Right Panel │ │ Palette │ Canvas (SVG) │ (Properties) │ │ │ │ │ │ Groups │ ┌─────────┐ ┌─────────┐ │ Element Name │ │ ────── │ │ Group A │──────│ Group B │ │ Metadata │ │ [Types] │ │ ┌─────┐ │ │ ┌─────┐ │ │ ──────────── │ │ │ │ │Comp1│─┼──────┼─│Comp2│ │ │ Threats: │ │ Comps │ │ └─────┘ │ │ └─────┘ │ │ [#2] ExS ▼ │ │ ────── │ └─────────┘ └─────────┘ │ [#4] IdT ▼ │ │ [Types] │ │ + Add cluster │ │ │ │ │ ├─────────┴───────────────────────────────────────┴───────────────┤ │ Filter Bar: [All] [#1] [#2] [#3] [#4] [#5] [#6] [#7]... │ └─────────────────────────────────────────────────────────────────┘ ``` ### 4.2 Component Palette Components are organized by layer: | Layer | Components | |-------|------------| | **Infrastructure** | VM, Container, Serverless, Physical Host | | **Platform** | Linux OS, Windows OS, K8s Pod | | **Runtime** | Node.js, JVM, Python, .NET | | **Application** | API Endpoint, Web Server, Business Logic, Auth Module, File Handler, Queue Consumer | | **Library** | DB Client, HTTP Client, Auth Library, Crypto Library, Framework, ORM | | **External** | Database, Cache, Queue, Storage, IdP, 3rd Party API, CDN, Users, Clients | ### 4.3 Creating Elements 1. **Groups**: Drag group type to canvas 2. **Components**: Drag component to canvas (into group or standalone) 3. **Interfaces**: Click component → Click "Connect" mode → Click target ### 4.4 Managing Threats When a component or interface is selected: 1. View auto-assigned threats based on type 2. Change **Status**: Identified | Mitigated | Accepted 3. Set **Velocity Class**: VC-1 to VC-4 4. Set **Residual Risk**: Critical | High | Medium | Low 5. Add **Notes**: Control descriptions, CVE references 6. Add **Control Reference URL** (appears when Mitigated) 7. Add/remove threat clusters as needed --- ## 5. JSON Schema Specification ### 5.1 Root Structure ```json { "$schema": "tlctc-threat-identification-v2", "tlctc_version": "2.0", "metadata": { ... }, "system_model": { "groups": [ ... ], "components": [ ... ], "interfaces": [ ... ] }, "threat_register": [ ... ] } ``` ### 5.2 Metadata Object ```json { "metadata": { "name": "string", // Project name "version": "string", // Model version (semver) "author": "string", // Author name "created": "ISO8601", // Creation timestamp "sdlcPhase": "string", // Requirements|Design|Development|Testing|Deployment|Maintenance "description": "string", // Project description "exported": "ISO8601" // Export timestamp (auto-generated) } } ``` ### 5.3 Groups Array ```json { "groups": [ { "id": "string", // Unique identifier (e.g., "grp-dmz1") "name": "string", // Display name "type": "string", // group-server|group-container|group-pod|group-lambda "position": { "x": number, // Canvas X position "y": number // Canvas Y position }, "size": { "width": number, // Width in pixels "height": number // Height in pixels }, "metadata": { "version": "string", // Version info "owner": "string", // Responsibility sphere (@Org, @Vendor, etc.) "isThirdParty": boolean, // Third-party flag "environment": "string", // Production|Staging|Development|etc. "description": "string" // Optional description } } ] } ``` ### 5.4 Components Array ```json { "components": [ { "id": "string", // Unique identifier (e.g., "comp-api-gateway") "type": "string", // Component type ID (see Component Types table) "name": "string", // Display name "icon": "string", // Emoji icon "layer": "string", // infrastructure|platform|runtime|application|library|external "groupId": "string|null", // Parent group ID or null if standalone "position": { "x": number, // X position (relative to group if grouped) "y": number // Y position (relative to group if grouped) }, "metadata": { "version": "string", // Component version "owner": "string", // Responsibility sphere "isThirdParty": boolean, // Third-party flag "criticality": "string", // Critical|High|Medium|Low "description": "string", // Optional description "sbom": "string" // SBOM reference (for libraries) }, "threats": [ // Array of applicable threats { "cluster": { "strategic": "string", // Cluster ID (e.g., "#2") "operational": "string" // Operational code (e.g., "TLCTC-02.00") }, "applicable": boolean, // Is threat applicable? "status": "string", // Identified|Mitigated|Accepted "velocity_class": "string", // VC-1|VC-2|VC-3|VC-4 "residual_risk": "string", // Critical|High|Medium|Low "notes": "string", // Control description, context "control_ref": "string" // URL to control documentation } ] } ] } ``` ### 5.5 Component Types Reference | Type ID | Name | Layer | Default Threats | |---------|------|-------|-----------------| | `vm` | Virtual Machine | infrastructure | - | | `container` | Container | infrastructure | - | | `serverless` | Serverless Function | infrastructure | - | | `host` | Physical Host | infrastructure | - | | `os-linux` | Linux OS | platform | - | | `os-windows` | Windows OS | platform | - | | `k8s-pod` | K8s Pod | platform | - | | `runtime-node` | Node.js Runtime | runtime | - | | `runtime-jvm` | JVM | runtime | - | | `runtime-python` | Python Runtime | runtime | - | | `runtime-dotnet` | .NET Runtime | runtime | - | | `api-endpoint` | API Endpoint | application | #2, #4, #6 | | `web-server` | Web Server | application | #2, #4, #6 | | `app-logic` | Business Logic | application | #1, #2 | | `auth-module` | Auth Module | application | #4 | | `file-handler` | File Handler | application | #2, #7 | | `queue-consumer` | Queue Consumer | application | #1, #2 | | `db-client` | DB Client Library | library | #10, #4 | | `http-client` | HTTP Client Library | library | #10, #5 | | `auth-library` | Auth Library | library | #10, #4 | | `crypto-library` | Crypto Library | library | #10 | | `framework` | Web Framework | library | #10, #2 | | `orm` | ORM Library | library | #10, #2 | | `database` | Database | external | #1, #2, #4 | | `cache` | Cache (Redis) | external | #1, #4 | | `queue` | Message Queue | external | #1, #6 | | `storage` | Object Storage | external | #1, #4 | | `idp` | Identity Provider | external | #4, #10 | | `third-party-api` | 3rd Party API | external | #10 | | `cdn` | CDN | external | #10, #5 | | `user` | End User | external | #9 | | `admin` | Administrator | external | #9, #4 | | `client-browser` | Browser Client | external | #3, #9 | | `client-mobile` | Mobile Client | external | #3, #8, #9 | ### 5.6 Interfaces Array ```json { "interfaces": [ { "id": "string", // Unique identifier (e.g., "iface-api-db") "name": "string", // Display name (e.g., "API → Database") "type": "string", // network|internal "from": "string", // Source component ID "to": "string", // Target component ID "protocol": "string", // HTTPS|HTTP|gRPC|TCP|WebSocket|AMQP|Internal Call|etc. "port": "string", // Port number or "-" for internal "threats": [ // Only #5 for network interfaces { "cluster": { "strategic": "#5", "operational": "TLCTC-05.00" }, "applicable": boolean, "status": "string", // Identified|Mitigated|Accepted "velocity_class": "string", // Typically VC-4 for network "residual_risk": "string", "notes": "string", // TLS config, mTLS, etc. "control_ref": "string" // URL to TLS/encryption docs } ] } ] } ``` ### 5.7 Threat Register Array The threat register is a denormalized view for reporting: ```json { "threat_register": [ { // For component threats: "elementType": "component", "componentId": "string", "componentName": "string", "componentType": "string", "group": "string|null", // For interface threats: "elementType": "interface", "interfaceId": "string", "interfaceName": "string", "interfaceType": "string", "fromComponent": "string", "toComponent": "string", "fromGroup": "string|null", "toGroup": "string|null", "protocol": "string", // Common fields: "cluster": "string", // e.g., "#2" "clusterName": "string", // e.g., "Exploiting Server" "status": "string", "velocityClass": "string", "residualRisk": "string", "notes": "string", "controlRef": "string", "isNetworkInterface": boolean } ] } ``` --- ## 6. Threat Assignment Rules ### 6.1 Component Threat Assignment When analyzing architecture documentation, assign threats based on: #### Rule 1: Component Type Defaults Use the default threats from the Component Types table as a starting point. #### Rule 2: Third-Party Flag If `isThirdParty: true`, add **#10 (Supply Chain)** if not already present. #### Rule 3: Authentication Components Any component handling authentication should have **#4 (Identity Theft)**. #### Rule 4: User-Facing Components Components interacting with end users should consider **#9 (Social Engineering)**. #### Rule 5: Client Applications Mobile/desktop clients should include: - **#3** (Client-side exploitation) - **#8** (Physical device access) - **#9** (Social engineering of users) #### Rule 6: Server Components Servers/APIs should typically include: - **#2** (Server exploitation) - **#6** (Flooding/DoS) #### Rule 7: Data Stores Databases, caches, queues should include: - **#1** (Abuse of functions) - **#4** (Credential theft) ### 6.2 Interface Threat Assignment #### Rule 8: Network Interfaces Any interface crossing a group boundary (different `groupId`) or explicitly marked as network type gets **#5 (MitM)**. #### Rule 9: Internal Interfaces In-process calls within the same deployment unit get **no threats** by default (empty array). #### Rule 10: External Network Exposure Interfaces exposed to the internet should have #5 with careful attention to: - TLS version and configuration - Certificate validation - Certificate pinning (for mobile) ### 6.3 Status Assignment Guidelines | Status | When to Use | |--------|-------------| | **Identified** | Threat is recognized, no control in place yet | | **Mitigated** | Control is implemented and documented (add `control_ref`) | | **Accepted** | Risk accepted by business decision (document in notes) | ### 6.4 Velocity Class Guidelines | Attack Type | Typical VC | |-------------|------------| | Supply chain compromise | VC-1 | | Phishing campaign | VC-2 | | Credential stuffing | VC-2 | | SQL injection attempt | VC-3 | | API abuse | VC-3 | | DDoS attack | VC-4 | | MitM on network | VC-4 | --- ## 7. Creating Models from Architecture Documentation ### 7.1 Analysis Process When given architecture documentation (diagrams, text descriptions, network diagrams): #### Step 1: Identify Trust Boundaries - Network zones (DMZ, Internal, External) - Deployment units (VMs, containers, pods) - Organizational boundaries - **→ Create Groups** #### Step 2: Identify System Components - Applications and services - Databases and data stores - External systems and APIs - User/client types - Infrastructure elements - **→ Create Components with appropriate types** #### Step 3: Identify Data Flows - API calls between services - Database connections - External integrations - User interactions - **→ Create Interfaces** #### Step 4: Determine Network vs Internal - Same deployment unit/group → Internal - Different groups/zones → Network - **→ Set interface type** #### Step 5: Assign Initial Threats - Apply component type defaults - Add #10 for third-party components - Add #5 for network interfaces - **→ Populate threats arrays** #### Step 6: Assess and Classify - Set velocity classes based on attack speed - Set residual risk based on impact/likelihood - Set status based on control existence - Add control references for mitigations - **→ Complete threat objects** ### 7.2 Common Architecture Patterns #### Web Application (3-Tier) ``` Groups: [DMZ, Application, Database] Components: - DMZ: Load Balancer (#2, #6), WAF (#2, #4, #6) - App: Web Server (#2, #4, #6), App Logic (#1, #2) - DB: Database (#1, #2, #4) Interfaces: - LB → WAF (internal, no threats) - WAF → Web Server (network, #5) - Web Server → Database (network, #5) ``` #### Microservices ``` Groups: [API Gateway, Service A, Service B, Data] Components: - Gateway: API Gateway (#2, #4, #6) - Each Service: API (#2, #4, #6), Logic (#1, #2) - Data: Database per service (#1, #2, #4) Interfaces: - All inter-service: network, #5 (mTLS) - Service → DB: network, #5 ``` #### Mobile Banking ``` Groups: [External, DMZ-1, DMZ-2, Internal] Components: - External: Mobile App (#3, #8, #9), Authenticator (#3, #8, #9) - DMZ-1: Load Balancer (#2, #6), WAF (#2, #4, #6) - DMZ-2: IDP (#1, #2, #4), App Server (#1, #2, #4, #6) - Internal: Databases (#1, #2, #4), SIEM (#1, #4, #6) Interfaces: - Mobile → LB (network, #5 - TLS pinning) - All DMZ boundaries (network, #5 - mTLS) ``` ### 7.3 Reading Network Diagrams Look for: | Diagram Element | Maps To | |-----------------|---------| | Boxes/Rectangles | Components | | Dashed boxes | Groups (boundaries) | | Lines/Arrows | Interfaces | | Firewall symbols | Group boundaries (network interfaces) | | Cloud symbols | External/third-party (add #10) | | User icons | External users (add #9) | | Database cylinders | Database components (#1, #2, #4) | | Lock icons | Auth components (#4) | --- ## 8. Examples ### 8.1 Simple API with Database ```json { "$schema": "tlctc-threat-identification-v2", "tlctc_version": "2.0", "metadata": { "name": "Simple REST API", "version": "1.0.0", "author": "Example", "created": "2025-01-04T00:00:00.000Z", "sdlcPhase": "Design", "description": "Basic REST API with PostgreSQL database" }, "system_model": { "groups": [ { "id": "grp-app", "name": "Application Server", "type": "group-container", "position": { "x": 100, "y": 100 }, "size": { "width": 200, "height": 150 }, "metadata": { "version": "1.0", "owner": "@Org", "isThirdParty": false, "environment": "Production" } } ], "components": [ { "id": "comp-api", "type": "api-endpoint", "name": "REST API", "icon": "🌐", "layer": "application", "groupId": "grp-app", "position": { "x": 60, "y": 50 }, "metadata": { "version": "1.0.0", "owner": "@Org", "isThirdParty": false, "criticality": "High" }, "threats": [ { "cluster": { "strategic": "#2", "operational": "TLCTC-02.00" }, "applicable": true, "status": "Identified", "velocity_class": "VC-3", "residual_risk": "Medium", "notes": "Input validation required", "control_ref": "" }, { "cluster": { "strategic": "#4", "operational": "TLCTC-04.00" }, "applicable": true, "status": "Mitigated", "velocity_class": "VC-3", "residual_risk": "Low", "notes": "JWT authentication implemented", "control_ref": "https://docs.example.com/auth" }, { "cluster": { "strategic": "#6", "operational": "TLCTC-06.00" }, "applicable": true, "status": "Mitigated", "velocity_class": "VC-4", "residual_risk": "Low", "notes": "Rate limiting at 100 req/min", "control_ref": "https://docs.example.com/rate-limiting" } ] }, { "id": "comp-db", "type": "database", "name": "PostgreSQL", "icon": "🗄️", "layer": "external", "groupId": null, "position": { "x": 400, "y": 125 }, "metadata": { "version": "15.0", "owner": "@Org", "isThirdParty": false, "criticality": "Critical" }, "threats": [ { "cluster": { "strategic": "#1", "operational": "TLCTC-01.00" }, "applicable": true, "status": "Identified", "velocity_class": "VC-2", "residual_risk": "Medium", "notes": "Access control policies needed", "control_ref": "" }, { "cluster": { "strategic": "#2", "operational": "TLCTC-02.00" }, "applicable": true, "status": "Mitigated", "velocity_class": "VC-3", "residual_risk": "Low", "notes": "Parameterized queries via ORM", "control_ref": "https://docs.example.com/sql-injection" }, { "cluster": { "strategic": "#4", "operational": "TLCTC-04.00" }, "applicable": true, "status": "Mitigated", "velocity_class": "VC-2", "residual_risk": "Low", "notes": "Credentials in HashiCorp Vault", "control_ref": "https://docs.example.com/secrets" } ] } ], "interfaces": [ { "id": "iface-api-db", "name": "API → Database", "type": "network", "from": "comp-api", "to": "comp-db", "protocol": "TCP", "port": "5432", "threats": [ { "cluster": { "strategic": "#5", "operational": "TLCTC-05.00" }, "applicable": true, "status": "Mitigated", "velocity_class": "VC-4", "residual_risk": "Low", "notes": "PostgreSQL SSL mode=verify-full", "control_ref": "https://docs.example.com/db-encryption" } ] } ] }, "threat_register": [] } ``` ### 8.2 Third-Party Integration ```json { "id": "comp-payment-sdk", "type": "http-client", "name": "Stripe SDK", "icon": "📚", "layer": "library", "groupId": "grp-payment", "position": { "x": 60, "y": 80 }, "metadata": { "version": "14.0.0", "owner": "@Vendor", "isThirdParty": true, "criticality": "Critical", "sbom": "npm:stripe@14.0.0" }, "threats": [ { "cluster": { "strategic": "#10", "operational": "TLCTC-10.00" }, "applicable": true, "status": "Identified", "velocity_class": "VC-1", "residual_risk": "High", "notes": "Third-party dependency - version pinning, security monitoring", "control_ref": "" }, { "cluster": { "strategic": "#5", "operational": "TLCTC-05.00" }, "applicable": true, "status": "Mitigated", "velocity_class": "VC-4", "residual_risk": "Low", "notes": "TLS enforced by SDK", "control_ref": "https://stripe.com/docs/security" } ] } ``` --- ## 9. Integration with TLCTC Framework ### 9.1 Mapping to Whitepaper Concepts | Tool Concept | Whitepaper Reference | |--------------|---------------------| | Cluster IDs (#1-#10) | Table 1: TLCTC Strategic Clusters | | Velocity Classes | Section 4.2: Attack Velocity (Δt) | | Responsibility Spheres | Section 5: Responsibility Attribution | | Component Threats | Generic Vulnerabilities (cause-side) | | Interface Threats (#5) | Communication Channel Vulnerabilities | | Control References | Control Mapping (consequence-side) | ### 9.2 Operational Codes The `operational` field in threat clusters follows the pattern: ``` TLCTC-XX.YY Where: XX = Cluster number (01-10) YY = Sub-classification (00 = general) ``` Future versions may define sub-classifications (e.g., TLCTC-02.01 for SQL Injection specifically). ### 9.3 Using with TLCTC Analysis 1. **Input**: Architecture documentation + TLCTC Whitepaper 2. **Process**: Apply threat identification rules from this document 3. **Output**: JSON model importable into the tool 4. **Benefit**: Consistent, cause-based threat identification aligned with TLCTC taxonomy ### 9.4 Workflow Integration ``` ┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐ │ Architecture │────▶│ TLCTC Analysis │────▶│ JSON Model │ │ Documentation │ │ (This Guide + │ │ (Import to Tool)│ │ Network Diagrams│ │ Whitepaper) │ │ │ └─────────────────┘ └──────────────────┘ └─────────────────┘ │ ▼ ┌──────────────────┐ ┌─────────────────┐ │ Security Testing │◀────│ Threat Register │ │ Control Impl. │ │ Risk Priorities │ └──────────────────┘ └─────────────────┘ ``` --- ## Appendix A: Quick Reference Card ### Threat Assignment Checklist - [ ] All API endpoints have #2, #4, #6 - [ ] All databases have #1, #2, #4 - [ ] All third-party components have #10 - [ ] All user-facing components have #9 - [ ] All mobile clients have #3, #8, #9 - [ ] All network interfaces have #5 - [ ] All mitigated threats have control_ref URLs ### JSON Validation Checklist - [ ] All IDs are unique - [ ] All `groupId` references exist in groups array - [ ] All `from`/`to` in interfaces reference valid component IDs - [ ] All `type` values match Component Types table - [ ] All `cluster.strategic` values are #1-#10 - [ ] All `status` values are Identified|Mitigated|Accepted - [ ] All `velocity_class` values are VC-1|VC-2|VC-3|VC-4 - [ ] All `residual_risk` values are Critical|High|Medium|Low --- *Document Version: 2.1.0 | TLCTC Framework Version: 2.0*