UCF STIG Viewer Logo

SA-14 CRITICALITY ANALYSIS


Overview

Number Title Impact Priority Subject Area
SA-14 Criticality Analysis P0 System And Services Acquisition

Instructions
The organization identifies critical information system components and functions by performing a criticality analysis for Assignment: organization-defined information systems, information system components, or information system services at Assignment: organization-defined decision points in the system development life cycle.
Guidance
Criticality analysis is a key tenet of supply chain risk management and informs the prioritization of supply chain protection activities such as attack surface reduction, use of all-source intelligence, and tailored acquisition strategies. Information system engineers can conduct an end-to-end functional decomposition of an information system to identify mission-critical functions and components. The functional decomposition includes the identification of core organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and beyond the information system boundary. Information system components that allow for unmediated access to critical components or functions are considered critical due to the inherent vulnerabilities such components create. Criticality is assessed in terms of the impact of the function or component failure on the ability of the component to complete the organizational missions supported by the information system. A criticality analysis is performed whenever an architecture or design is being developed or modified, including upgrades.

Enhancements
SA-14 (1) Critical Components With No Viable Alternative Sourcing

Withdrawn: Incorporated into SA-20.