zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-03 16:32:15 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/compliance/dist/system-security-plans/ato/sa-5.md
Logan McDonald 1d3dfdb8d5
Add compliance documentation to source control (#116) 
* add initial setup of compliance-trestle
2022-09-14 08:46:43 -04:00

7.1 KiB
Raw Blame History

implementation-status control-origination
c-not-implemented
c-inherited-cloud-gov
c-inherited-cisa
c-common-control
c-system-specific-control

sa-5 - [catalog] System Documentation

Control Statement

  • [a] Obtain or develop administrator documentation for the system, system component, or system service that describes:

    • [1] Secure configuration, installation, and operation of the system, component, or service;
    • [2] Effective use and maintenance of security and privacy functions and mechanisms; and
    • [3] Known vulnerabilities regarding configuration and use of administrative or privileged functions;

  • [b] Obtain or develop user documentation for the system, system component, or system service that describes:

    • [1] User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
    • [2] Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
    • [3] User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

  • [c] Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take actions in response; and

  • [d] Distribute documentation to personnel or roles.

Control guidance

System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

Control assessment-objective

administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed; administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed; administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed; administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed; administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed; administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed; administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed; administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed; administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed; user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed; user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed; user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed; user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed; user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed; user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed; user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed; user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed; attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented; after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, actions are taken in response; documentation is distributed to personnel or roles.

What is the solution and how is it implemented?

Implementation a.

Add control implementation description here for item sa-5_smt.a

Implementation b.

Add control implementation description here for item sa-5_smt.b

Implementation c.

Add control implementation description here for item sa-5_smt.c

Implementation d.

Add control implementation description here for item sa-5_smt.d