Many organizations struggle to address the following question: Which assets need to be protected the most? Given the large number of diverse threats faced by organizations, and the costs associated with protecting organizational assets, deciding which assets to focus on is not easy. To achieve this goal, NIST is releasing NIST Internal Report (NISTIR) 8179, Criticality Analysis Process Model: Prioritizing Systems and Components. This publication helps organizations identify those systems and components that are most vital and which may need additional security or other protections.
Identifying the asset of greatest importance is not a new concept. A number of disciplines have well-established methods for doing so, and these methods are used in a variety of industries, including banking and electric utilities. This publication proposes a unique model, called the Criticality Analysis Process Model, which is based on existing methods and approaches and tailored specifically to the needs of information security and privacy risk management.
A criticality analysis is especially pertinent in the current technology environment in which organizations rely on third-party product and service providers for the development, integration, and management of the information technology and operational technology they use. Many standards and guidelines state the importance of a criticality analysis, but guidance on how to conduct such an analysis is often absent. Existing criticality analysis guidance is most often focused on prioritizing projects according to organizational goals, or prioritizing components according to system functionality. This fragmented view of criticality can result in an incomplete understanding of the potentially critical nature of a component to organizational goals. Instead, NISTIR 8179 describes a comprehensive method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals.
The Criticality Analysis Process Model is intended to be used as a component of a holistic and comprehensive risk management approach that considers all risks, including information security and privacy risks, to prioritize and tailor controls to those risks. The Model can be used with a variety of risk management standards and guidelines, including the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 family of standards and the suite of NIST Special Publications (SPs). It can also be used in conjunction with systems and software engineering, project management, and auditing/attestation frameworks.