2.5 KiB
| implementation-status | control-origination | |||||
|---|---|---|---|---|---|---|
|
|
sa-15.3 - [catalog] Criticality Analysis
Control Statement
Require the developer of the system, system component, or system service to perform a criticality analysis:
-
[a] At the following decision points in the system development life cycle: decision points ; and
-
[b] At the following level of rigor: organization-defined breadth and depth of criticality analysis.
Control guidance
Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses.
Control assessment-objective
the developer of the system, system component, or system service is required to perform a criticality analysis at decision points in the system development life cycle; the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: breadth; the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: depth .
What is the solution and how is it implemented?
Implementation (a)
Add control implementation description here for item sa-15.3_smt.a
Implementation (b)
Add control implementation description here for item sa-15.3_smt.b