Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Criticality Analysis Process Model



Celia Paulsen, Jon M. Boyens, Nadya Bartol, Kris Winkler


In the modern world, where complex systems and systems-of-systems are integral to the functioning of society and businesses, it is increasingly important to be able to understand and manage risks that these systems and components may present to the missions that they support. However, in the world of finite resources, it is not possible to apply equal protection to all assets. This publication describes a comprehensive Criticality Analysis Process Model -- a structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals. A criticality analysis can help organizations identify and better understand the systems, subsystems, components, and subcomponents that are most essential to their operations and the environment in which they operate. That understanding facilitates better decision making related to the management of an organization's information assets, including information security and privacy risk management, project management, acquisition, maintenance, and upgrade decisions. The Model is structured to logically follow how organizations design and implement projects and systems, can be used as a component of a holistic and comprehensive risk management approach that considers all risks, and can be used with a variety of risk management standards and guidelines.
NIST Interagency/Internal Report (NISTIR) - 8179
Report Number


Baseline criticality, criticality, criticality analysis, critical components, critical programs, critical systems, information security, prioritizing components, prioritizing programs, prioritizing systems, prioritization, privacy.


Paulsen, C. , Boyens, J. , Bartol, N. and Winkler, K. (2018), Criticality Analysis Process Model, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed June 20, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created April 9, 2018, Updated November 10, 2018