CCI-003255
CCI-003255 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed defines and documents decision points in the system development life cycle the developer of the information system, system component, or information system service is required to perform a criticality analysis IAW DoDI 5200.44 and DoDI 5000.2. Criticality analysis is an iterative process that should be performed whenever an architecture or design is being developed or modified and executed across the acquisition lifecycle, building on growing maturity and updated information. Criticality analysis is performed throughout the acquisition life cycle. As a minimum, the developer should support the performing and update a criticality analysis, along with the threat assessment, vulnerability assessment, risk assessment, cost-benefit trade-off and countermeasure selection, before each technical review.
Validation Procedures
The organization conducting the inspection/assessment obtains and examines the documented decision points to ensure the organization being inspected/assessed defines decision points in the system development life cycle the developer of the information system, system component, or information system service is required to perform a criticality analysis IAW DoDI 5200.44 and DoDI 5000.2. DoD has determined the decision points are not appropriate to define at the Enterprise level.
Compelling Evidence
1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan defining decision points in the system development life cycle the developers of the information system, system component or information system service is required to perform a criticality analysis.