Navigate

CCI-003132

CCI-003132 Definition

The organization takes organization-defined actions in response to attempts to obtain either unavailable or nonexistent documentation for the information system, system component, or information system service.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed takes actions defined in SA-5, CCI 3133 in response to attempts to obtain either unavailable or nonexistent documentation for information system, system component, or information system service. The organization must maintain a record of actions taken. DoD has determined the actions are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the record of actions taken to ensure the organization being inspected/assessed takes actions defined in SA-5, CCI 3133 in response to attempts to obtain either unavailable or nonexistent documentation for information system, system component, or information system service. DoD has determined the actions are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP) or Incident response plan must document organization defined actions to be taken in the event of attempt to obtain unavailable or nonexistent information.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003132.

Control	Description
SA-5	The organization: SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service; SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service; SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response; SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].

Control

Description

SA-5

The organization:

SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes:
- SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service;
- SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and
- SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes:
- SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
- SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
- SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service;

SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;

SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and

SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].