CCI-003253
CCI-003253 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service perform a criticality analysis at the breadth/depth IAW DoDI 5200.44. The organization should develop Request for Proposals (RFPs) and other contract language that require contractors to perform Criticality Analyses (CAs) periodically. Developer input into criticality analysis provides detailed design documentation for information system components (e.g., functional specifications, high-level designs, low-level designs, and source code/hardware schematics). Criticality Analysis should be conducted in accordance with the DoDI 5200.44 and the DoDI 5000.2. Once the program has identified critical functions through the criticality analysis, the program systems engineers and SSEs can use the results along with the vulnerability assessment and threat assessment to determine the risk. The organization should reference the Defense Acquisition Guidebook (DAG) Chapter 13 for more information.
Validation Procedures
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform a criticality analysis at the breadth/depth IAW DoDI 5200.44.
Compelling Evidence
1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan requiring developers of the information system, system component or information system service to perform a criticality analysis at organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.