CCI-003125

Obtain or develop administrator documentation for the system, system component, or system service that describes secure installation of the system, component, or service.

Implementation Guidance

Determine if: - administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed. - administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed. - administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing system documentation; system documentation, including administrator and user guides; system design documentation; records documenting attempts to obtain unavailable or nonexistent system documentation; list of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation; risk management strategy documentation; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; system administrators; organizational personnel responsible for operating, using, and/or maintaining the system; system developers]. Test: [SELECT FROM: Organizational processes for obtaining, protecting, and distributing system administrator and user documentation].

The controls below (if any) were marked by NIST as being related to CCI-003125.