SA-15(3): Criticality Analysis

Control Family:

System And Services Acquisition

Parent Control:

SA-15: Development Process, Standards, And Tools

Priority:

P2: Implement P2 security controls after implementation of P1 controls.

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SA-15(3): Criticality Analysis

Control Statement

The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].

Supplemental Guidance

This control enhancement provides developer input to the criticality analysis performed by organizations in SA-14. Developer input is essential to such analysis because organizations may not have access to detailed design documentation for information system components that are developed as commercial off-the-shelf (COTS) information technology products (e.g., functional specifications, high-level designs, low-level designs, and source code/hardware schematics).