SA-5—System Documentation
>Control Description
Obtain or develop administrator documentation for the system, system component, or system service that describes:
Secure configuration, installation, and operation of the system, component, or service;
Effective use and maintenance of security and privacy functions and mechanisms; and
Known vulnerabilities regarding configuration and use of administrative or privileged functions;
Obtain or develop user documentation for the system, system component, or system service that describes:
User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take ⚙organization-defined actions in response; and
Distribute documentation to ⚙organization-defined personnel or roles.
>DoD Impact Level Requirements
FedRAMP Parameter Values
SA-5 (d) [at a minimum, the ISSO (or similar role within the organization)]
>Discussion
System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions.
Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors.
When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection.
Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.
>Programmatic Queries
Related Services
CLI Commands
aws ssm list-documents --document-filter-list key=Owner,value=Selfaws ssm get-document --name DOCUMENT_NAMEaws configservice describe-config-rulesaws servicecatalog list-portfolios>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What acquisition policies and procedures address the requirements of SA-5?
- •How are security and privacy requirements integrated into the acquisition process?
- •Who is responsible for ensuring that acquisitions comply with SA-5?
- •How do you assess and monitor the security posture of suppliers and vendors?
Technical Implementation:
- •How are security requirements defined and documented in acquisition contracts?
- •What mechanisms ensure that acquired systems and services meet security requirements?
- •How do you validate that vendors and service providers comply with specified security controls?
- •What secure coding practices and standards are required for developers?
Evidence & Documentation:
- •Can you provide examples of acquisition documentation that includes security requirements?
- •What evidence demonstrates that acquired systems meet security specifications?
- •Where is acquisition security documentation maintained throughout the system lifecycle?
- •Can you provide code review or static analysis results?
- •Can you provide vendor security assessment reports?
Ask AI
Configure your API key to use AI features.