SA-05 System Documentation
a. Obtain or develop administrator documentation for the system, system component, or system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security and privacy functions and mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
b. Obtain or develop user documentation for the system, system component, or system service that describes:
1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take sa-05_odp.01 in response; and
d. Distribute documentation to sa-05_odp.02.
| Parameter ID | Definition |
|---|---|
| sa-05_odp.01 | actions |
| sa-05_odp.02 | personnel or roles |
Baselines
- L
- M
- H
- P
Guidance
System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.
References 1
- SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Control Enhancements 5
- SA-05(01) Functional Properties of Security Controls
- SA-05(02) Security-relevant External System Interfaces
- SA-05(03) High-level Design
- SA-05(04) Low-level Design
- SA-05(05) Source Code
Related controls 19
- CM-04 Impact Analyses L M H P
- CM-06 Configuration Settings L M H P
- CM-07 Least Functionality L M H P
- CM-08 System Component Inventory L M H P
- PL-02 System Security and Privacy Plans L M H P
- PL-04 Rules of Behavior L M H P
- PL-08 Security and Privacy Architectures L M H P
- PS-02 Position Risk Designation L M H P
- SA-03 System Development Life Cycle L M H P
- SA-04 Acquisition Process L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-09 External System Services L M H P
- SA-10 Developer Configuration Management L M H P
- SA-11 Developer Testing and Evaluation L M H P
- SA-15 Development Process, Standards, and Tools L M H P
- SA-16 Developer-provided Training L M H P
- SA-17 Developer Security and Privacy Architecture and Design L M H P
- SI-12 Information Management and Retention L M H P
- SR-03 Supply Chain Controls and Processes L M H P