Criticality Analysis Process Model: Prioritizing Systems and Components

NISTIR 8179 describes a Criticality Analysis Process Model – a structured method of prioritizing programs, systems, and components based on their importance to the mission and the risk that their ineffective or unsatisfactory operation or loss may present to the mission. The Criticality Analysis Process Model presented in this document adopts and adapts concepts presented in risk management, system engineering, software engineering, security engineering, privacy engineering, safety applications, business analysis, systems analysis, acquisition guidance, and cyber supply chain risk management publications. The Criticality Analysis Process Model can be used as a component of a holistic and comprehensive risk management approach that considers all risks, including information security and privacy risks. The Model can be used with a variety of risk management standards and guidelines including the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 family of standards and the suite of National Institute of Standards and Technology (NIST) Special Publications (SPs). The Model can also be used with systems and software engineering frameworks. The need for criticality analysis within information security emerged as systems have become more complex and supply chains used to create software, hardware, and services have become extended, geographically distributed, and vast