P1 LOW SA-4 (10) | MOD SA-4 (1) (2) (9) (10) | HIGH SA-4 (1) (2) (9) (10) |
Control: The organization:
-
Obtains administrator documentation for the information system, system component, or information system service that describes:
-
Secure configuration, installation, and operation of the system, component, or service;
-
Effective use and maintenance of security functions/mechanisms; and
-
Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
-
Obtains user documentation for the information system, system component, or information system service that describes:
-
User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
-
Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
-
User responsibilities in maintaining the security of the system, component, or service;
-
Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
-
Protects documentation as required, in accordance with the risk management strategy; and
-
Distributes documentation to [Assignment: organization-defined personnel or roles].
Supplemental Guidance: This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4.
Control Enhancements:
-
information system documentation | functional properties of security controls
[Withdrawn: Incorporated into SA-4 (1)].
-
information system documentation | security-relevant external system interfaces
[Withdrawn: Incorporated into SA-4 (2)].
-
information system documentation | high-level design
[Withdrawn: Incorporated into SA-4 (2)].
-
information system documentation | low-level design
[Withdrawn: Incorporated into SA-4 (2)].
-
information system documentation | source code
[Withdrawn: Incorporated into SA-4 (2)].
References: None.
Priority and Baseline Allocation:
-
P2 | LOW SA-5 | MOD SA-5 | HIGH SA-5 |
SA-6 SOFTWARE USAGE RESTRICTIONS
[Withdrawn: Incorporated into CM-10 and SI-7].
SA-7 USER-INSTALLED SOFTWARE
[Withdrawn: Incorporated into CM-11 and SI-7].
SA-8 SECURITY ENGINEERING PRINCIPLES
Control: The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
Supplemental Guidance: Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3.
Control Enhancements: None.
References: NIST Special Publication 800-27.
Priority and Baseline Allocation:
-
Dostları ilə paylaş: |