Information resource owners shall obtain all available vendor provided security-related user documentation and integrate the guidance from such documentation into routine use of the information resource. During provisioning of the information resource, any benchmarked standards (e.g., Center for Internet Security's CIS Benchmarks) shall be used as the baseline for seure configuration of the information resource. Any other documentation related to the secure configuration, effective use, or known vulnerabilities shall be maintained by the information resource owner and made available to users and/or administrators, as appropriate.
Sensitive system configuration information is accessed by unauthorized parties due to inadequate security of system documentation.
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles].
The organization effectively secures system security documentation and configuration settings.
The state organization obtains, protects as required, and makes available to authorized personnel, adequate documentation for the information system.
Obtain system and services acquisition policy; procedures addressing information system documentation; information system documentation including administrator and user guides; other relevant documents or records and ascertain if : (I)the organization obtains, protects as required, and makes available to authorized personnel, information system administrator and user guidance with information on: -configuring, installing, and operating the information system. -effectively using the system’s security features. (ii)the organization, when this information is either unavailable or non existent (e.g., due to the age of the system or lack of support from the vendor/manufacturer), the organization documents attempts to obtain such documentation and provides compensating security controls, if needed. (iii)the organization includes, in addition to administrator and user guides, documentation, if available from the vendor/manufacturer, describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls. (iv) the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing
