Navigate

CCI-004648

CCI-004648 Definition

Identify critical system components and functions by performing a criticality analysis for organization-defined systems, system components, or system services at organization-defined decision points in the system development life cycle.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if critical system components and functions are identified by performing a criticality analysis for [RA-09_ODP[01]; systems, system components, or system services to be analyzed for criticality are defined] at [RA-09_ODP[02]; decision points in the system development life cycle when a criticality analysis is to be performed are defined].

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; assessment reports; criticality analysis/finalized criticality for each component/subcomponent; audit records/event logs; analysis reports; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with assessment and auditing responsibilities; organizational personnel with criticality analysis responsibilities; system/network administrators; organizational personnel with security responsibilities]. Test: [SELECT FROM: Organizational processes for assessments and audits; mechanisms/tools supporting and/or implementing assessments and auditing].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004648.

Control	Description
RA-9	Identify critical system components and functions by performing a criticality analysis for [systems, system components, or system services to be analyzed for criticality are defined;] at [decision points in the system development life cycle when a criticality analysis is to be performed are defined;].