CCI-003254

Defines the breadth/depth of criticality analysis at which the developer of the system, system component, or system service is required to perform a criticality analysis.

Implementation Guidance

Determine if: - the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: [SA-15(03)_ODP[02]; the breadth of criticality analysis is defined]. - the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: [SA-15(03)_ODP[03]; the depth of criticality analysis is defined].

Validation Procedures

Examine: [SELECT FROM: Supply chain risk management plan; system and services acquisition policy; procedures addressing development process, standards, and tools; procedures addressing criticality analysis requirements for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; criticality analysis documentation; business impact analysis documentation; software development life cycle documentation; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for performing criticality analysis; system developer; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for performing criticality analysis; mechanisms supporting and/or implementing criticality analysis].

The controls below (if any) were marked by NIST as being related to CCI-003254.