CCI-003254

The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform a criticality analysis.

Implementation Guidance

The organization being inspected/assessed defines and documents the breadth/depth the developer of the information system, system component, or information system service is required to perform a criticality analysis IAW DoDI 5200.44. The criticality analysis allows a program to focus attention (and resources) on the system capabilities, mission-critical functions that matter most. Mission-critical functions are those functions of the system that, if corrupted or disabled, would likely lead to mission failure or degradation. Mission-critical components are primarily the elements of the system (hardware, software, and firmware) that implement critical functions; however, system components that perform defensive functions to protect inherently critical components and other components with unmediated access to inherently critical components, may themselves be mission critical. Criticality analysis is the primary method by which a program identifies mission-critical functions and associated components. Criticality analysis includes the following iterative steps: 1. Identify and group mission threads. 2. Decompose the mission threads into their mission-critical functions and assign them criticality levels. 3. Map the mission-critical functions to the system architecture and identify the defined system components (hardware, software, and firmware) that implement those functions (i.e., components that are critical to the mission effectiveness of the system or an interfaced network). 4. Allocate criticality levels to those components that have been defined. Criticality levels are determined by assessing the relative impact on the system’s ability to complete its mission if the function and associated component fails. Level I is total mission failure, Level II is significant/unacceptable degradation, Level III is partial/acceptable, and Level IV is negligible. The organization should reference the Defense Acquisition Guidebook (DAG) Chapter 13 for more information. DoD has determined the breadth/depth are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented breadth/depth to ensure the organization being inspected/assessed defines the breadth/depth the developer of the information system, system component, or information system service is required to perform a criticality analysis IAW DoDI 5200.44. DoD has determined the breadth/depth are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan defining the breadth/depth the developers for the information system, system component or information system service is required to perform a criticality analysis.

The controls below (if any) were marked by NIST as being related to CCI-003254.