SA-15(3): Criticality Analysis

CSF v1.1 References:


  • Moderate
  • High

Previous Version:

Control Statement

Require the developer of the system, system component, or system service to perform a criticality analysis:

  1. At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and
  2. At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].

Supplemental Guidance

Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses.