Navigate

CCI-003129

CCI-003129 Definition

Obtain or develop user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms and how to effectively use those functions and mechanisms.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide user documentation for the information system, system component or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide user documentation for the information system, system component or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.

Compelling Evidence

1.) System security plan (SSP) must contain user documentation that describes user-accessible security functions/mechanisms and to effectively use them.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003129.

Control	Description
SA-5	The organization: a: Obtains administrator documentation for the information system, system component, or information system service that describes: 1: Secure configuration, installation, and operation of the system, component, or service; 2: Effective use and maintenance of security functions/mechanisms; and 3: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; b: Obtains user documentation for the information system, system component, or information system service that describes: 1: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; 2: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and 3: User responsibilities in maintaining the security of the system, component, or service; c: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [one of ] in response; d: Protects documentation as required, in accordance with the risk management strategy; and e: Distributes documentation to [one of ].

Control

Description

SA-5

The organization:

a: Obtains administrator documentation for the information system, system component, or information system service that describes:
- 1: Secure configuration, installation, and operation of the system, component, or service;
- 2: Effective use and maintenance of security functions/mechanisms; and
- 3: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

b: Obtains user documentation for the information system, system component, or information system service that describes:
- 1: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
- 2: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
- 3: User responsibilities in maintaining the security of the system, component, or service;

c: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [one of ] in response;

d: Protects documentation as required, in accordance with the risk management strategy; and

e: Distributes documentation to [one of ].