CCI-003232
CCI-003232 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed defines and documents the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components , or information system services IAW DoDI 5200.44 and DoDI 5000.2. Criticality analysis is an iterative process that should be performed whenever an architecture or design is being developed or modified and executed across the acquisition lifecycle, building on growing maturity and updated information, in preparation for acquisition milestone reviews, and at other points in the acquisition lifecycle as defined by the DoDI 5000.2. A DoD program needs to perform criticality analysis throughout the acquisition life cycle. As a minimum, DoD programs need to perform / update a criticality analysis, along with the threat assessment, vulnerability assessment, risk assessment, cost-benefit trade-off and countermeasure selection, before each technical review. DoD has determined the decision points are not appropriate to define at the Enterprise level.
Validation Procedures
The organization conducting the inspection/assessment obtains and examines the documented decision points to ensure they have been defined IAW DoDI 5200.44 and DoDI 5000.2. DoD has determined the decision points are not appropriate to define at the Enterprise level.
Compelling Evidence
1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan for defining the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components , or information system services.