SA-5(1) — Functional Properties of Security Controls

System documentation must describe the functional properties of security controls — what each control does in terms the administrator can understand and verify.

Example 1: The system documentation should explain each security feature in functional terms: 'The system enforces password complexity by requiring a minimum of 14 characters, at least one uppercase, one lowercase, one number, and one special character. Failed login lockout occurs after 3 consecutive failures for 15 minutes.'

Example 2: For each security control documented, the administrator guide should include: what it does, how to configure it, how to verify it is working, and what happens when it fails. This enables your admins to properly operate and troubleshoot security features.