NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-15(3) — Criticality Analysis
Require the developer of the system, system component, or system service to perform a criticality analysis: At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses.
Practitioner Notes
Apply criticality analysis to the development process — the most critical components should receive the most rigorous development practices, testing, and review.
Example 1: Classify software components by criticality: security-critical code (authentication, encryption, access control) gets the most rigorous review and testing. Standard business logic gets normal review. Non-critical utility code gets minimal review. This focuses your limited security review resources where they matter most.
Example 2: Document the required development rigor for each criticality level in your development standards: critical components require threat modeling, manual code review, and penetration testing; important components require SAST scanning and code review; standard components require SAST scanning only.