MISSION OR BUSINESS FOCUS
Identify the missions, business functions, and mission/business processes that the system is intended to support.
Potential Inputs: Organizational mission statement; organizational policies; mission/business process information; system stakeholder information; Cybersecurity Framework Profiles; requests for proposal or other acquisition documents; concept of operations.
Expected Outputs: Missions, business functions, and mission/business processes that the system will support.
Primary Responsibility: Mission or Business Owner.
Supporting Roles: Authorizing Official or Authorizing Official Designated Representative; System Owner; Information Owner or Steward; Chief Information Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy.
System Development Life Cycle Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance.
Discussion: Organizational missions and business functions influence the design and development of the mission or business processes that are created to carry out those missions and business functions. The prioritization of missions and business functions drives investment strategies, funding decisions, resource prioritization, and risk decisions—and thus affects the existing enterprise architecture and development of the associated security and privacy architectures. Information is elicited from stakeholders to acquire a more thorough understanding of the missions, business functions, and mission/business processes of the organization from a system security and privacy perspective.
References: [SP 800-39] (Organization and Mission/Business Process Levels); [SP 800-64]; [SP 800-160 v1] (Business or Mission Analysis, Portfolio Management, and Project Planning Processes); [NIST CSF] (Core [Identify Function]); [IR 8179] (Criticality Analysis Process B).