SA-15.3: Criticality Analysis

the developer of the system, system component, or system service is required to perform a criticality analysis at decision points in the system development life cycle;

Supply chain risk management plan

system and services acquisition policy

procedures addressing development process, standards, and tools

procedures addressing criticality analysis requirements for the system, system component, or system service

solicitation documentation

acquisition documentation

service level agreements

acquisition contracts for the system, system component, or system service

criticality analysis documentation

business impact analysis documentation

software development life cycle documentation

system security plan

other relevant documents or records

Organizational personnel with system and service acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel responsible for performing criticality analysis

system developer

organizational personnel with supply chain risk management responsibilities

Organizational processes for performing criticality analysis

mechanisms supporting and/or implementing criticality analysis