System Documentation

System artifacts and documentation created by the developer helps organizational personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to delineate roles, responsibilities and expectations of the developer and organization, support the management of supply chain risk, incident response, flaw remediation, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation. An example of least privilege in software development is minimizing the functions that operate with elevated privileges (e.g., limiting the tools and functionality that operate in kernel mode)

administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed; administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed; administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed; administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed; administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed; administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed; administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed; administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed; administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed; user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed; user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed; user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed; user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed; user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed; user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed; user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed; user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed; attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented; after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, actions are taken in response; documentation is distributed to personnel or roles.