NIST Releases Criticality Analysis Guide
The agency is requesting public comments by Aug. 18 on the document, which will help organizations perform a step-by-step analysis to identify critical parts of a system that must not fail or be compromised if the system is to successfully support the organization's mission.
Nearly every organization depends on information or operational technology for its principal business or mission, but how can they keep the infrastructure up to date without jeopardizing its ability to function or breaking the budget? The National Institute of Standards and Technology (NIST) hopes to help answer this key question with new draft guidance to help organizations conduct criticality analyses.
The agency is requesting public comments by Aug. 18 on the document, which will help organizations perform a step-by-step analysis to identify critical parts of a system that must not fail or be compromised if the system is to successfully support the organization's mission.
The document is NIST Interagency Report (NISTIR) 8179, "Criticality Analysis Process Model." It builds on previous NIST guidance that emphasized the importance of identifying the critical points in a system but did not provide a method for doing so, says the agency. "This draft report shows people how to perform a criticality analysis that's tailored to their organization," explained NIST cybersecurity expert Jon Boyens, who co-authored the report with his colleague Celia Paulsen. "Each agency will have its own situation. We are developing this for the government, but we want it to be friendly and useful for the private sector."
"I think guidance like this will help secure the supply chain," said John Peterson, senior program manager at the Redhorse Corporation in San Diego. "A lot of these systems are integrated, so if you have one part that's compromised in some way, it could affect the entire system."
"The legacy problem is notorious throughout industry," said Carol Woody, technical manager for cybersecurity engineering at the Software Engineering Institute in Pittsburgh. "All organizations are trying to keep technology costs down. It's hard to do because they have to make choices that may not always anticipate problems 10 years down the road. What the NIST authors are doing is saying, 'Think broadly. Ask yourself why you bought something and how long it will be before it could conceivably need more capability—plan for its usable life and budget accordingly.'"