Mission Impact
Mission Impact v2.0.0
Impact on Mission Essential Functions of the Organization
| Value | Definition |
|---|---|
| Degraded | Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions |
| MEF Support Crippled | Activities that directly support essential functions are crippled; essential functions continue for a time |
| MEF Failure | Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time |
| Mission Failure | Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails |
{
"namespace": "ssvc",
"version": "2.0.0",
"key": "MI",
"name": "Mission Impact",
"description": "Impact on Mission Essential Functions of the Organization",
"values": [
{
"key": "D",
"name": "Degraded",
"description": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
"key": "MSC",
"name": "MEF Support Crippled",
"description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
"key": "MEF",
"name": "MEF Failure",
"description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
"key": "MF",
"name": "Mission Failure",
"description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
}
]
}
See also
Mission Impact combines with Safety Impact to inform Human Impact
A mission essential function (MEF) is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” 1. Identification and prioritization of mission essential functions enables effective continuity planning or crisis planning. Mission Essential Functions are in effect critical activities within an organization that are used to identify key assets, supporting tasks, and resources that an organization requires to remain operational in a crises situation, and so must be included in its planning process. During an event, key resources may be limited and personnel may be unavailable, so organizations must consider these factors and validate assumptions when identifying, validating, and prioritizing MEFs.
When reviewing the list of organizational functions, an organization must first identify whether a function is essential or non-essential. The distinction between these two categories is whether or not an organization must perform a function during a disruption to normal operations and must continue performance during emergencies 1. Essential functions are both important and urgent. Functions that can be deferred until after an emergency are identified as non-essential. For example, DoD defines MEFs in DoD Directive 3020.26 DoD Continuity Policy using similar terminology to FCD-2 2.
As mission essential functions are most clearly defined for government agencies, stakeholders in other sectors may be familiar with different terms of art from continuity planning. For example, infrastructure providers in the US may better align with National Critical Functions. Private sector businesses may better align with operational and financial impacts in a business continuity plan.
While the processes, terminology, and audience for these different frameworks differ, they all can provide a sense of the criticality of an asset or assets within the scope of the stakeholder conducting the cyber vulnerability prioritization with SSVC. In that sense they all function quite similarly within SSVC. Organizations should use whatever is most appropriate for their stakeholder context, with Mission Essential Function analysis serving as a fully worked example in the SSVC documents.
Gathering Information About Mission Impact
The factors that influence the mission impact level are diverse. This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work. At a minimum, understanding mission impact should include gathering information about the critical paths that involve vulnerable components, viability of contingency measures, and resiliency of the systems that support the mission. There are various sources of guidance on how to gather this information; see for example the FEMA guidance in Continuity Directive 2 1 or OCTAVE FORTE 3. This is part of risk management more broadly. It should require the vulnerability management team to interact with more senior management to understand mission priorities and other aspects of risk mitigation.
As a heuristic, Utility might constrain Mission Impact if both are not used in the same decision tree. For example, if the Utility is super effective, then Mission Impact is at least MEF support crippled.
Prior Versions
Mission Impact v1.0.0
Impact on Mission Essential Functions of the Organization
| Value | Definition |
|---|---|
| None | Little to no impact |
| Non-Essential Degraded | Degradation of non-essential functions; chronic degradation would eventually harm essential functions |
| MEF Support Crippled | Activities that directly support essential functions are crippled; essential functions continue for a time |
| MEF Failure | Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time |
| Mission Failure | Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails |
{
"namespace": "ssvc",
"version": "1.0.0",
"key": "MI",
"name": "Mission Impact",
"description": "Impact on Mission Essential Functions of the Organization",
"values": [
{
"key": "N",
"name": "None",
"description": "Little to no impact"
},
{
"key": "NED",
"name": "Non-Essential Degraded",
"description": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
"key": "MSC",
"name": "MEF Support Crippled",
"description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
"key": "MEF",
"name": "MEF Failure",
"description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
"key": "MF",
"name": "Mission Failure",
"description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
}
]
}
-
Federal Emergency Management Agency. Federal continuity directive 2: federal executive branch mission essential functions and candidate primary mission essential functions identification and submission process. Technical Report, US Department of Homeland Security, Federal Emergency Management Agency, 2017. URL: https://www.fema.gov/media-library-data/1499702987348-c8eb5e5746bfc5a7a3cb954039df7fc2/FCD-2June132017.pdf. ↩↩↩
-
DOD. Dod directive 3020.26 dod continuity policy. Technical Report, US Department of Defense, 2018. URL: https://github.com/CERTCC/SSVC/pull/281/commits/791dcabd716c2e681215493b26cba79f3863887b. ↩
-
Brett Tucker. Octave® forte and fair connect cyber risk practitioners with the boardroom. 2018. URL: https://insights.sei.cmu.edu/insider-threat/2018/06/octave-forte-and-fair-connect-cyber-risk-practitioners-with-the-boardroom.html (visited on 2020-01-20). ↩