CCI-003231

The organization defines the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis.

Implementation Guidance

The organization being inspected/assessed defines and documents the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis IAW DoDI 5200.44. The organization should perform Criticality Analysis to identify and prioritize mission-critical functions and critical components in accordance with the DoDI 5200.44. The criticality analysis allows a program to focus attention (and resources) on the system capabilities, mission-critical functions that matter most. Mission-critical functions are those functions of the system that, if corrupted or disabled, would likely lead to mission failure or degradation. Mission-critical components are primarily the elements of the system (hardware, software, and firmware) that implement critical functions; however, system components that perform defensive functions to protect inherently critical components and other components with unmediated access to inherently critical components, may themselves be mission critical. DoD has determined the decision points are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented information systems, information system components, or information system services to ensure they have been defined IAW DoDI 5200.44. DoD has determined the information systems, information system components, or information system services are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for defining the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis.

The controls below (if any) were marked by NIST as being related to CCI-003231.