home || catalog: SP800-53rev3 / class: Management / family: (SA) System and Services Acquisition ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA

SA-01
SA-02
SA-03
SA-04
SA-05 *
SA-06
SA-07
SA-08
SA-09
SA-10
SA-11
SA-12
SA-13
SA-14

SC
SI
MMMMM

  SA-05: Information System Documentation  

base control objective:
The organization:
a. Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: - Secure configuration, installation, and operation of the information system; - Effective use and maintenance of security features/functions; and - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; and
b. Obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes: - User-accessible security features/functions and how to effectively use those security features/functions; - Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and - User responsibilities in maintaining the security of the information and information system; and
c. Documents attempts to obtain information system documentation when such documentation is either unavailable or non existent.

supplemental objective information:
The inability of the organization to obtain necessary information system documentation may occur, for example, due to the age of the system and/or lack of support from the vendor/contractor. In those situations, organizations may need to recreate selected information system documentation if such documentation is essential to the effective implementation and/or operation of security controls.

enhancements to the base objective:

(1) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.

(2) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.

(3) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
Enhancement Supplemental Guidance: An information system can be partitioned into multiple subsystems.

(4) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
Enhancement Supplemental Guidance: Each subsystem within an information system can contain one or more modules.

(5) The organization obtains, protects as required, and makes available to authorized personnel, the source code for the information system to permit analysis and testing.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (3)     HIGH: base (1) (2) (3)  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for SA-05:

None.

Document Date Status Title

Search SP800-53rev3 catalog: