Making the Case for Cybersecurity
2.3 MENDING THE THREADS WITH OMG SPECTRA
This is where the OMG SPECTRA standard comes in. SPECTRA( Systems Profile for Effective Cyber Threat-based Risk Assessments) defines a standardized semantic profile for cyber and cyberphysical systems, expressed in SysML. Its purpose is to enable security-focused tools to extract meaningful knowledge from system models— accurately, consistently, and automatically.
SPECTRA provides machine-readable semantics for constructs relevant to cybersecurity, including replaceable parts, information channels, and domain-specific data types. It enables tools to identify the technical digital surface of a system— the parts and pathways exposed to potential attack— and reason about vulnerabilities and controls in that context.
Together, SysML and UAF enable digital threads— structured, traceable pathways linking mission objectives to design elements, test artifacts, controls, and runtime behaviors. These threads form the foundation for big data analytics and adaptive security reasoning, provided they are unbroken and semantically coherent.
Importantly, SPECTRA doesn’ t require discarding existing SysML or UAF practices. Instead, it acts as a semantic overlay— filtering generic system and mission models to highlight the elements necessary for cybersecurity analysis. This enables automated tailoring of threats, risk scenarios, and mitigations based on the actual architecture of the system of interest.
3 RISK CLAIMS AS INFERENCE IN THE RISK-CENTRIC DECSECOPS PIPELINES
Having extended the DevSecOps culture to the model-based systems engineering, and mission engineering, how can risks be identified in this continuous environment, to make it risk-centric?
3.1 MANUAL RISK ASSESSMENT IS DEAD
In agile, cloud-native environments, manual risk assessments are a bottleneck. They depend on human interpretation of static documents, are rarely aligned with system reality, and cannot react to fast-changing threat conditions. Worse, they are disconnected from DevSecOps pipelines— creating a critical gap between operational velocity and assurance posture.
In contrast, the proposed framework treats risk assessment as a continuous, automated process, embedded directly into the development and operations lifecycle. System facts, vulnerabilities, threat models, and control data are represented as a structured knowledge graph. As this graph evolves— due to design changes, new CVEs, updated threat intelligence, or even runtime anomalies— machine-readable claims are recalculated, and assurance arguments are updated automatically.
Each stakeholder, from engineers to mission owners, receives targeted, up-to-date insight into the cybersecurity implications of their work. Risk awareness becomes persistent, explainable, and actionable— at the speed of deployment.
Journal of Innovation 43