Enumerate your current software development lifecycle practices (code review, dependency management, build isolation, signing)
Map each practice to the corresponding NIST SP 800-218 SSDF practice and task using the SSDF practice areas as a guide
For each SLSA threat (e.g., compromised build platform, tampered source, bypassed CI), identify which SSDF practices and SLSA requirements address that threat
Identify gaps where no current practice addresses a documented threat and record them in a risk register
Prioritize gap remediation based on threat likelihood and impact, referencing SLSA level requirements as a maturity ladder
Document the mapping in a machine-readable format (e.g., OSCAL or a structured spreadsheet) for auditor review
Known gotchas
SSDF practice descriptions are intentionally outcome-based rather than prescriptive; mapping a specific tooling choice to an SSDF task requires careful justification or auditors may not accept it
SLSA levels are cumulative; claiming a higher level without satisfying all lower-level requirements is invalid even if higher-level controls are technically in place
Threat mapping exercises can produce a false sense of coverage if they list mitigations that exist in policy but are not consistently enforced in practice
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp