1. Home
  2. FedRAMP
  3. SA-5

BRACKETOLOGY | FEDRAMP

SA-5: INFORMATION SYSTEM DOCUMENTATION

  • FedRAMP Baseline Membership SA-5:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Obtains administrator documentation for the information system, system component, or information system service that describes:
      1. Secure configuration, installation, and operation of the system, component, or service;
      2. Effective use and maintenance of security functions/mechanisms; and
      3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
    • b. Obtains user documentation for the information system, system component, or information system service that describes:
      1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
      2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
      3. User responsibilities in maintaining the security of the system, component, or service;
    • c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;
    • d. Protects documentation as required, in accordance with the risk management strategy; and
    • e. Distributes documentation to [Assignment: organization-defined personnel or roles].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization:

  • a. Obtains administrator documentation for the information system, system component, or information system service that describes:
    1. Secure configuration, installation, and operation of the system, component, or service;
    2. Effective use and maintenance of security functions/mechanisms; and
    3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
  • b. Obtains user documentation for the information system, system component, or information system service that describes:
    1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
    2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
    3. User responsibilities in maintaining the security of the system, component, or service;
  • c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes organization-defined actions in response;
  • d. Protects documentation as required, in accordance with the risk management strategy; and
  • e. Distributes documentation to at a minimum, the ISSO (or similar role within the organization).

SUPPLEMENTAL GUIDANCE

This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.

CONTROL ENHANCEMENTS

SA-5 (1) INFORMATION SYSTEM DOCUMENTATION | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS

[Withdrawn: Incorporated into SA-4 (1)].

SA-5 (2) INFORMATION SYSTEM DOCUMENTATION

[Withdrawn: Incorporated into SA-4 (2)].

SA-5 (3) INFORMATION SYSTEM DOCUMENTATION

[Withdrawn: Incorporated into SA-4 (2)].

SA-5 (4) INFORMATION SYSTEM DOCUMENTATION

[Withdrawn: Incorporated into SA-4 (2)].

SA-5 (5) INFORMATION SYSTEM DOCUMENTATION

[Withdrawn: Incorporated into SA-4 (2)].

REFERENCES:

  • NO REFERENCES