Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and e. Distributes documentation to [Assignment: organization-defined personnel or roles].
NIST 800-53 (r4) Supplemental Guidance:
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4.
NIST 800-53 (r5) Discussion:
System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.
38North Guidance:
Meets Minimum Requirement:
Administrator documentation is either developed or obtained from the developer or service provider for the IT product/services being employed for the information system. The documentation includes detailed information that ma include how to employ secure configurations, install and operate the system component/application. Types of documents may include: Developer configuration/installation guides, runbooks, administrator guides, third-party vendor software documentation.
User guides and information for end-user functionality shall be developed that describes the accessibility, functionality, methods of interaction and use responsibilities when operating within the information system. Documentation for users may also include an Acceptable Use Agreement, Access Agreements (PS-7) or Rules of Behavior (PL-4).
Updates and/or develops new documents when changes to existing guides are required.
Maintain any documentation within secure repositories allowing access on an as needed basis.
Best Practice:
Establish and define a consistent process to document any developer guides to ensure consistency within runbooks.
Maintain runbooks required to deploy, update or maintain a service or application in secure repositories.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Developer, administrator and user guides for internally developed systems, applications or components.
Third-party/external vendor and contractor documents related to how manage and maintain the service or application environment.
Evidence to show that documentation is protected from unauthorized disclosure and/or modification.
CSP Implementation Tips:
None.
Page updated
Report abuse