Navigate

CCI-003127

CCI-003127 Definition

The organization obtains administrator documentation for the information system, system component, or information system services that describes effective use and maintenance of security functions/mechanisms.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide administrator documentation for the information system, system component or information system service that describe effective use and maintenance of security functions/mechanisms.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide administrator documentation for the information system, system component or information system service that describe effective use and maintenance of security functions/mechanisms.

Compelling Evidence

1.) System security plan (SSP) must contain administrator documentation that describes effective use and maintenance of security functions/mechanisms.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003127.

Control	Description
SA-5	The organization: SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service; SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service; SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response; SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].

Control

Description

SA-5

The organization:

SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes:
- SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service;
- SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and
- SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes:
- SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
- SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
- SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service;

SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;

SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and

SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].