Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >Risk Assessment
  4. >SP800-53-RA-9
SP800-53-RA-9Active

Criticality Analysis

Statement

Identify critical system components and functions by performing a criticality analysis for systems, system components, or system services at decision points in the system development life cycle.

Location

Control Family
Risk Assessment

Control Details

Identifier
SP800-53-RA-9
Family
RA

Organisation-Defined Parameters

ra-09_odp.01
systems, system components, or system services
ra-09_odp.02
decision points in the system development life cycle

Supplemental Guidance

Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.

The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.

Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.

Assessment Objective

critical system components and functions are identified by performing a criticality analysis for systems, system components, or system services at decision points in the system development life cycle.

ATTACK
ATTACK-T1495relatedvia ctid-attack-to-sp800-53
ATTACK-T1542relatedvia ctid-attack-to-sp800-53
ATTACK-T1542.001relatedvia ctid-attack-to-sp800-53
ATTACK-T1542.003relatedvia ctid-attack-to-sp800-53
ATTACK-T1542.004relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Risk Assessment
Risk Assessment26 controls
SP800-53-RA-1Policy and ProceduresSP800-53-RA-2Security CategorizationSP800-53-RA-2(1)Impact-level PrioritizationSP800-53-RA-3Risk AssessmentSP800-53-RA-3(1)Supply Chain Risk AssessmentSP800-53-RA-3(2)Use of All-source IntelligenceSP800-53-RA-3(3)Dynamic Threat AwarenessSP800-53-RA-3(4)Predictive Cyber AnalyticsSP800-53-RA-4Risk Assessment UpdateSP800-53-RA-5Vulnerability Monitoring and ScanningSP800-53-RA-5(1)Update Tool CapabilitySP800-53-RA-5(2)Update Vulnerabilities to Be ScannedSP800-53-RA-5(3)Breadth and Depth of CoverageSP800-53-RA-5(4)Discoverable InformationSP800-53-RA-5(5)Privileged AccessSP800-53-RA-5(6)Automated Trend AnalysesSP800-53-RA-5(7)Automated Detection and Notification of Unauthorized ComponentsSP800-53-RA-5(8)Review Historic Audit LogsSP800-53-RA-5(9)Penetration Testing and AnalysesSP800-53-RA-5(10)Correlate Scanning InformationSP800-53-RA-5(11)Public Disclosure ProgramSP800-53-RA-6Technical Surveillance Countermeasures SurveySP800-53-RA-7Risk ResponseSP800-53-RA-8Privacy Impact AssessmentsSP800-53-RA-9Criticality AnalysisSP800-53-RA-10Threat Hunting