NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-8(32)Sufficient Documentation

Implement the security design principle of sufficient documentation in {{ insert: param, sa-08.32_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The principle of sufficient documentation states that organizational personnel with responsibilities to interact with the system are provided with adequate documentation and other information such that the personnel contribute to rather than detract from system security. Despite attempts to comply with principles such as human factored security and acceptable security, systems are inherently complex, and the design intent for the use of security mechanisms and the ramifications of the misuse or misconfiguration of security mechanisms are not always intuitively obvious. Uninformed and insufficiently trained users can introduce vulnerabilities due to errors of omission and commission. The availability of documentation and training can help to ensure a knowledgeable cadre of personnel, all of whom have a critical role in the achievement of principles such as continuous protection. Documentation is written clearly and supported by training that provides security awareness and understanding of security-relevant responsibilities.

Practitioner Notes

Sufficient documentation means that security-relevant aspects of the system are documented well enough to be independently verified, operated, and maintained. Undocumented security is unverifiable security.

Example 1: For each system, maintain documentation that covers: security architecture, access control configuration, encryption implementation, audit logging setup, backup procedures, and incident response contacts. Store this documentation alongside the system security plan.

Example 2: Create runbooks for your security operations team that document common scenarios: how to investigate an alert, how to isolate a compromised system, how to restore from backup, and how to report an incident. Test the runbooks during tabletop exercises and update them with lessons learned.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment