Next at #SteelCon was a talk about Threat Modelling, slides are available here: https://github.com/ajones17/TMT2025

They mentioned using the free Microsoft Threat Modelling software, available at https://aka.ms/tmt, and the various frameworks available:

STRIDE: https://www.microsoft.com/en-us/security/blog/2007/09/11/stride-chart/
PASTA: https://versprite.com/cybersecurity-listings/offsec/threat-models/
DREAD: https://download.microsoft.com/download/d/8/c/d8c02f31-64af-438c-a9f4-e31acb8e3333/Threats_Countermeasures.pdf

One interesting thing that makes sense, but I'd not really thought about, was that new supplier "offboarding" should be written at the same time as "onboarding" docs.
If nothing else, it should signal to the supplier that you have thought about an exit strategy.