{"id":"5e90b583-63ed-40c4-8d14-3d1eda6d1d2f","task":"Map organizational security practices to NIST SSDF tasks and SLSA threat mitigations","domain":"security-general","steps":["Enumerate your current software development lifecycle practices (code review, dependency management, build isolation, signing)","Map each practice to the corresponding NIST SP 800-218 SSDF practice and task using the SSDF practice areas as a guide","For each SLSA threat (e.g., compromised build platform, tampered source, bypassed CI), identify which SSDF practices and SLSA requirements address that threat","Identify gaps where no current practice addresses a documented threat and record them in a risk register","Prioritize gap remediation based on threat likelihood and impact, referencing SLSA level requirements as a maturity ladder","Document the mapping in a machine-readable format (e.g., OSCAL or a structured spreadsheet) for auditor review"],"gotchas":["SSDF practice descriptions are intentionally outcome-based rather than prescriptive; mapping a specific tooling choice to an SSDF task requires careful justification or auditors may not accept it","SLSA levels are cumulative; claiming a higher level without satisfying all lower-level requirements is invalid even if higher-level controls are technically in place","Threat mapping exercises can produce a false sense of coverage if they list mitigations that exist in policy but are not consistently enforced in practice"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/5e90b583-63ed-40c4-8d14-3d1eda6d1d2f"}