Back

Obtain user documentation before acquiring products and services.


CONTROL ID
14283
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include security requirements in system acquisition contracts., CC ID: 01124

This Control has the following implementation support Control(s):
  • Include instructions on how to use the security functions in the user documentation., CC ID: 14314
  • Include security functions in the user documentation., CC ID: 14313
  • Include user responsibilities for maintaining system security in the user documentation., CC ID: 14312
  • Include a description of user interactions in the user documentation., CC ID: 14311


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The required information is available to the user of the good or product. (PI1.1 ¶ 3 Bullet 1.1 Defines Information Necessary to Support the Use of a Good or Product, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The required information is clearly identifiable. (PI1.1 ¶ 3 Bullet 1.2 Defines Information Necessary to Support the Use of a Good or Product, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The required information is validated for completeness and accuracy. (PI1.1 ¶ 3 Bullet 1.3 Defines Information Necessary to Support the Use of a Good or Product, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The required information is available to the user of the good or product. (PI1.1 ¶ 3 Bullet 1.1 Defines Information Necessary to Support the Use of a Good or Product, Trust Services Criteria, (includes March 2020 updates))
  • The required information is clearly identifiable. (PI1.1 ¶ 3 Bullet 1.2 Defines Information Necessary to Support the Use of a Good or Product, Trust Services Criteria, (includes March 2020 updates))
  • The required information is validated for completeness and accuracy. (PI1.1 ¶ 3 Bullet 1.3 Defines Information Necessary to Support the Use of a Good or Product, Trust Services Criteria, (includes March 2020 updates))
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., FedRAMP Security Controls High Baseline, Version 5)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., FedRAMP Security Controls Low Baseline, Version 5)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Obtain or develop user documentation for the system, system component, or system service that describes: (SA-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., TX-RAMP Security Controls Baseline Level 1)
  • Obtains user documentation for the information system, system component, or information system service that describes: (SA-5b., TX-RAMP Security Controls Baseline Level 2)