Has your organization conducted a systems interdependency analysis to identify and mitigate potential cascading failures across interconnected systems?
Explanation
Cascading failures occur when the failure of one system component triggers failures in dependent systems, potentially causing widespread outages or security breaches.
This analysis should identify critical dependencies between systems, evaluate how failures might propagate, and document mitigation strategies to contain failures before they affect multiple systems.
Organizations with complex infrastructures are particularly vulnerable to these types of failures, especially when systems share resources, authentication mechanisms, or data flows.
Evidence of fulfillment could include a systems dependency map or matrix, a formal impact analysis document, contingency plans that address cascading scenarios, or test results from simulated failure exercises that demonstrate containment capabilities.
Implementation Example
Account for the potential impacts of cascading failures for systems of systems
ID: ID.RA-04.161
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

