Navigate

CCI-003129

CCI-003129 Definition

The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements, requirements that the developer provide user documentation for the information system, system component or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer provide user documentation for the information system, system component or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.

Compelling Evidence

1.) System security plan (SSP) must contain user documentation that describes user-accessible security functions/mechanisms and to effectively use them.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003129.

Control	Description
SA-5	The organization: SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service; SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service; SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response; SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].

Control

Description

SA-5

The organization:

SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes:
- SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service;
- SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and
- SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes:
- SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
- SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
- SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service;

SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;

SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and

SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].