Back

Obtain system documentation before acquiring products and services.


CONTROL ID
01445
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include security requirements in system acquisition contracts., CC ID: 01124

This Control has the following implementation support Control(s):
  • Include a description of the use and maintenance of security functions in the administration documentation., CC ID: 14309
  • Include a description of the known vulnerabilities for administrative functions in the administration documentation., CC ID: 14302
  • Disseminate and communicate the system documentation to interested personnel and affected parties., CC ID: 14285
  • Document attempts to obtain system documentation., CC ID: 14284


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • O49: For head and branch offices, the organization shall document and maintain manuals of actions to take in various conditions to ensure smooth operations and security of unmanned branches. O49.1: The organization shall document and maintain manuals of actions to take in various conditions to ensu… (O49, O49.1, O49.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The documentation for Commercial Off-The-Shelf products should be reviewed by regulated users to check that user requirements are being fulfilled. (¶ 3.3, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The seller should receive clear and specific instructions for what documentation is to be delivered. (App D § D.1.1.f, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The documentation requirements should be included in the terms and conditions of the contract. (App D § D.1.1.f, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • All products should have a document description that is coherent and consistent. The document should describe the product, the general IT features, the scope and boundaries in both a physical way and a logical way, and aid in understanding the product's security requirements. (§ 9.1, § 10.1, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The product and/or system description should be examined to ensure the description gives readers a general understanding of intended use, the features of the product (particularly the security features), and a list of the hardware, software, and firmware that comes with it. The description should be… (§ 8.3.1, § 9.3.1, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1, Trust Services Criteria)
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Do the criteria for accepting new Information Systems contain error recovery and restart procedures? (§ G.6.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • The organization must ensure that vendor-supplied system software includes the software documentation and that the vendor supports the software. (CSR 3.4.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The using or acquiring organization should determine the format and type of documentation to be furnished by the vendor. (§ C3.1.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The device manufacturer should have documentation, including the defined user requirements, that objectively confirms the software is validated for its use. (§ 6.2 ¶ 5 Bullet 1, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The device manufacturer should have documentation, including the validation protocols used, that objectively confirms the software is validated for its use. (§ 6.2 ¶ 5 Bullet 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The quality and thoroughness of system documentation; (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 7, FFIEC IT Examination Handbook - Audit, April 2012)
  • When the organization acquires software, it should ensure the documentation meets its minimum documentation requirements. The licensing agreement or software development agreement should require the vendor to provide all the necessary documentation. (Pg 27, Pg 47, FFIEC IT Examination Handbook - Development and Acquisition)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. (SA-4(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., FedRAMP Security Controls High Baseline, Version 5)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., FedRAMP Security Controls Low Baseline, Version 5)
  • Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. (SA-4(1) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must ensure there is a sufficient amount of system documentation, such as a Security Features Guide, prior to acquiring new products. (§ 5.6.14, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is there a copy of vendor documentation for the devices that are used by the Credit Union? (IT - WLANS Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. (SA-4(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. (SA-4(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure the information system has adequate documentation available and it is protected and distributed to appropriate personnel; administrator and user guides include instructions on how to configure, install, and operate the system and how … (SA-5, SA-5(1), SA-5(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The smart grid information system documentation obtained during system acquisition must include how to use, install, and configure the Information System and the security features. (SG.SA-5 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should require vendors and contractors to provide, in the acquisition contract, information that describes the functional properties of the security controls being used in the system, components, or system services in sufficient detail to allow for the analysis and testing of the co… (App F § SA-4(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should require vendors and contractors to provide, in the acquisition documents, information that describes the design and implementation details of the security controls being used in the system, components, or system services, including functional interfaces, in sufficient detail … (App F § SA-4(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must obtain, protect as required, and make available to authorized personnel, administrator documentation that describes the secure configuration, installation, operation of the system. (App F § SA-5.a Bullet 1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must obtain, protect as required, and make available to authorized personnel, administrator documentation that describes the effective use and maintenance of security features and functions. (App F § SA-5.a Bullet 2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must obtain, protect as required, and make available to authorized personnel, administrator documentation that describes any known vulnerabilities about the configuration and use of administrative functions. (App F § SA-5.a Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must obtain, protect as required, and make available to authorized personnel, user documentation that describes user-accessible security features and functions and how to use them. (App F § SA-5.b Bullet 1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must obtain, protect as required, and make available to authorized personnel, user documentation that describes the methods for user interaction to enable the individual to use the system more securely. (App F § SA-5.b Bullet 2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must obtain, protect as required, and make available to authorized personnel, user documentation that describes the user responsibilities for maintaining the security of information and the system. (App F § SA-5.b Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must document the attempts to obtain system documentation when the documentation is unavailable or nonexistent. (App F § SA-5.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should obtain, protect as required, and make available to authorized personnel, vendor and manufacturer documentation that describes the functional properties of the security controls with sufficient detail to allow for analysis and testing. (App F § SA-5(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should obtain, protect as required, and make available to authorized personnel, vendor and manufacturer documentation that describes the security-relevant external interfaces to the system with sufficient detail to allow for analysis and testing. (App F § SA-5(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should obtain, protect as required, and make available to authorized personnel, vendor and manufacturer documentation that describes the high-level design in terms of subsystems and implementation details of the security controls in sufficient detail to allow for analysis and testin… (App F § SA-5(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should obtain, protect as required, and make available to authorized personnel, vendor and manufacturer documentation that describes the low-level design in terms of modules and implementation details of the security controls with sufficient detail to allow for analysis and testing. (App F § SA-5(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {security-relevant external system interfaces} atorganizationally documented lev… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {high-level design} atorganizationally documented level of detail. (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {low-level design} atorganizationally documented level of detail. (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {source code or hardware schematics} atorganizationally documented level of deta… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {organizationally documented design/implementation information} atorganizational… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes secure configuration, installation, and operation of the system, component, or service. (SA-5a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes effective use and maintenance of security functions/mechanisms. (SA-5a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. (SA-5a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms. (SA-5b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner. (SA-5b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes user responsibilities in maintaining the security of the system, component, or service. (SA-5b.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and {organizationally documented actions} in response. (SA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {security-relevant external system interfaces} atorganizationally documented lev… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {high-level design} atorganizationally documented level of detail. (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {low-level design} atorganizationally documented level of detail. (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {source code or hardware schematics} atorganizationally documented level of deta… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {organizationally documented design/implementation information} atorganizational… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes secure configuration, installation, and operation of the system, component, or service. (SA-5a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes effective use and maintenance of security functions/mechanisms. (SA-5a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. (SA-5a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms. (SA-5b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner. (SA-5b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes user responsibilities in maintaining the security of the system, component, or service. (SA-5b.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and {organizationally documented actions} in response. (SA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes secure configuration, installation, and operation of the system, component, or service. (SA-5a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes effective use and maintenance of security functions/mechanisms. (SA-5a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. (SA-5a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms. (SA-5b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner. (SA-5b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes user responsibilities in maintaining the security of the system, component, or service. (SA-5b.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and {organizationally documented actions} in response. (SA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {security-relevant external system interfaces} atorganizationally documented lev… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {high-level design} atorganizationally documented level of detail. (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {low-level design} atorganizationally documented level of detail. (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {source code or hardware schematics} atorganizationally documented level of deta… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {organizationally documented design/implementation information} atorganizational… (SA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes secure configuration, installation, and operation of the system, component, or service. (SA-5a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes effective use and maintenance of security functions/mechanisms. (SA-5a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains administrator documentation for the information system, system component, or information system service that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. (SA-5a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms. (SA-5b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner. (SA-5b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization obtains user documentation for the information system, system component, or information system service that describes user responsibilities in maintaining the security of the system, component, or service. (SA-5b.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and {organizationally documented actions} in response. (SA-5c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. (SA-4(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. (SA-4(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Obtain or develop administrator documentation for the system, system component, or system service that describes: (SA-5a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization should have a well-defined documentation process. Documents should be controlled and access should be granted to only authorized personnel. All documents should be well written and understandable. (§ I.A, § II.C, App A § IV.B, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., TX-RAMP Security Controls Baseline Level 1)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1, TX-RAMP Security Controls Baseline Level 1)
  • Obtains administrator documentation for the information system, system component, or information system service that describes: (SA-5a., TX-RAMP Security Controls Baseline Level 2)
  • The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. (SA-4(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)