G.5.1 Criticality analysis
Control Details
Objective
Identify critical system components and functions by performing a criticality analysis.
Definition
Perform a criticality analysis of system components, functions, or services to assign cybersecurity supply chain risk management activities commensurate with the analysis based upon the likelihood and impact of an attack. Not all system components, functions, or services necessarily require significant protection. Items to consider in the analysis include system assets/data involved in the product, applicable laws, regulations, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. The criticality analysis impacts the procedures contractually imposed on vendors.
Assessment Questions
- What process do you have for performing criticality analysis as input to assessments of supply chain risk management activities?