NIST ID.BE-4: Establish Critical Function Dependencies
Critical services rarely operate in isolation. NIST ID.BE-4 requires you to identify and document all dependencies that enable your organization's critical functions—from suppliers to internal systems. Without this visibility, a single failure point can cascade into service disruption.
What this means
This control mandates that your organization identify, document, and understand all internal and external dependencies required to deliver critical services. This includes supplier relationships, system integrations, infrastructure requirements, and process dependencies. You must establish clear visibility into what resources, systems, and third parties your critical functions depend on, enabling you to assess risk and plan continuity strategies.
How to comply
- 1.Identify all critical functions and services your organization delivers
- 2.Map internal system dependencies (applications, databases, infrastructure, networks)
- 3.Document external dependencies (third-party vendors, cloud providers, ISPs, partners)
- 4.Create dependency matrices showing relationships between functions and supporting resources
- 5.Assess single points of failure and critical path risks
- 6.Document recovery time objectives (RTOs) and recovery point objectives (RPOs) for each dependency
- 7.Establish a process to monitor and update dependency documentation as systems change
- 8.Review dependencies with business and technical stakeholders quarterly
Evidence auditors look for
- Critical function dependency diagrams or maps
- Supplier and vendor inventory with service descriptions
- System architecture documentation showing integrations
- Data flow diagrams highlighting critical dependencies
- Third-party risk assessments and SLA documentation
- Business continuity plans referencing dependencies
- Change management records showing dependency updates
- Risk assessments identifying single points of failure
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates critical function dependency mapping by connecting your assets, vendors, and systems into visual dependency graphs, then tracks changes across your infrastructure so your dependency documentation stays current without manual updates.
See how GRCWatch handles this control automatically
Start free trial