SA-5: System Documentation

CSF v1.1 References:

CSF v2.0 References:

Baselines:

  • Low
    • SA-5
  • Moderate
    • SA-5
  • High
    • SA-5
  • Privacy

    N/A

Previous Version:

Control Statement

  1. Obtain or develop administrator documentation for the system, system component, or system service that describes:
    1. Secure configuration, installation, and operation of the system, component, or service;
    2. Effective use and maintenance of security and privacy functions and mechanisms; and
    3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
  2. Obtain or develop user documentation for the system, system component, or system service that describes:
    1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
    2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
    3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
  3. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and
  4. Distribute documentation to [Assignment: organization-defined personnel or roles].

Supplemental Guidance

System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.