Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization identifies critical information system assets supporting essential missions and business functions.
NIST 800-53 (r4) Supplemental Guidance:
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15.
NIST 800-53 (r5) Discussion:
Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.
38North Guidance:
Meets Minimum Requirement:
Organization must identify critical information system assets within their system boundary that support essential operations. These assets include the virtual network devices, systems, and environmental support. These critical assets must have redundant measures to eliminate and/or mitigate the effects of a disruption.
Best Practice:
The BIA must be reviewed and approved annually. Changes to the BIA must be communicated to the customer, reviewed, and approved within 90 days of significant changes to the system.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
BIA (as part of the CP) including information system assets deemed critical in supporting essential operations.
Evidence of review and approval of the BIA.
Customer notifications, reviews, and approvals of BIA changes dated within 90 days of any significant system changes.
A procedure or documented plan for providing customer notifications of BIA changes.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse