Navigate

SA-15 (3)

SA-15 (3): Criticality Analysis

The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].

Supplemental

This control enhancement provides developer input to the criticality analysis performed by organizations in SA-14. Developer input is essential to such analysis because organizations may not have access to detailed design documentation for information system components that are developed as commercial off-the-shelf (COTS) information technology products (e.g., functional specifications, high-level designs, low-level designs, and source code/hardware schematics).

CIA Levels
Confidentiality	high
Integrity	high
Availability	high

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-15 (3).

Control	Description
SA-4	The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: SA-4a.: Security functional requirements; SA-4b.: Security strength requirements; SA-4c.: Security assurance requirements; SA-4d.: Security-related documentation requirements; SA-4e.: Requirements for protecting security-related documentation; SA-4f.: Description of the information system development environment and environment in which the system is intended to operate; and SA-4g.: Acceptance criteria.
SA-14	The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle].

Control

Description

SA-4

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

SA-4a.: Security functional requirements;

SA-4b.: Security strength requirements;

SA-4c.: Security assurance requirements;

SA-4d.: Security-related documentation requirements;

SA-4e.: Requirements for protecting security-related documentation;

SA-4f.: Description of the information system development environment and environment in which the system is intended to operate; and

SA-4g.: Acceptance criteria.

SA-14

The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle].

Enhancements

The controls below (if any) add on to the requirements of SA-15 (3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-15 (3).

CCI	Definition
CCI-003253	The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at an organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.
CCI-003254	The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform a criticality analysis.
CCI-003255	The organization defines decision points in the system development life cycle at which the developer of the information system, system component, or information system service is required to perform a criticality analysis.