Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
sa-5 |
information system documentation |
|||
|
assessment objective: Determine if the organization: |
|||
sa-5(a) |
obtains administrator documentation for the information system, system component, or information system service that describes: |
|||
sa-5(a)(1) |
sa-5(a)(1)[1] |
secure configuration of the system, system component, or service; |
||
sa-5(a)(1)[2] |
secure installation of the system, system component, or service; |
|||
sa-5(a)(1)[3] |
secure operation of the system, system component, or service; |
|||
sa-5(a)(2) |
sa-5(a)(2)[1] |
effective use of the security features/mechanisms; |
||
sa-5(a)(2)[2] |
effective maintenance of the security features/mechanisms; |
|||
sa-5(a)(3) |
known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; |
|||
sa-5(b) |
obtains user documentation for the information system, system component, or information system service that describes: |
|||
sa-5(b)(1) |
sa-5(b)(1)[1] |
user-accessible security functions/mechanisms; |
||
sa-5(b)(1)[2] |
how to effectively use those functions/mechanisms; |
|||
sa-5(b)(2) |
methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; |
|||
sa-5(b)(3) |
user responsibilities in maintaining the security of the system, component, or service; |
|||
sa-5(c) |
sa-5(c)[1] |
defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent; |
||
sa-5(c)[2] |
documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent; |
|||
sa-5(c)[3] |
takes organization-defined actions in response; |
|||
sa-5(d) |
protects documentation as required, in accordance with the risk management strategy; |
|||
sa-5(e) |
sa-5(e)[1] |
defines personnel or roles to whom documentation is to be distributed; and |
||
sa-5(e)[2] |
distributes documentation to organization-defined personnel or roles. |
|||
potential assessment methods and objects: Examine: [select from: System and services acquisition policy; procedures addressing information system documentation; information system documentation including administrator and user guides; records documenting attempts to obtain unavailable or nonexistent information system documentation; list of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation; risk management strategy documentation; other relevant documents or records]. Interview: [select from: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with responsibility for determining information system security requirements; system administrators; organizational personnel operating, using, and/or maintaining the information system; information system developers; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation]. |
||||
