Doc:NIST SP 800-53r3 Appendix F/SA-5
SA-5 INFORMATION SYSTEM DOCUMENTATION
- Control: The organization:
- a. Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes:
- - Secure configuration, installation, and operation of the information system;
- - Effective use and maintenance of security features/functions; and
- - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; and
- b. Obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes:
- - User-accessible security features/functions and how to effectively use those security features/functions;
- - Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and
- - User responsibilities in maintaining the security of the information and information system; and
- c. Documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.
- Supplemental Guidance: The inability of the organization to obtain necessary information system documentation may occur, for example, due to the age of the system and/or lack of support from the vendor/contractor. In those situations, organizations may need to recreate selected information system documentation if such documentation is essential to the effective implementation and/or operation of security controls.
- Control Enhancements: