SA-8(32)

  • Requirement

    Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components].

  • Discussion

    The principle of sufficient documentation states that organizational personnel with responsibilities to interact with the system are provided with adequate documentation and other information such that the personnel contribute to rather than detract from system security. Despite attempts to comply with principles such as human factored security and acceptable security, systems are inherently complex, and the design intent for the use of security mechanisms and the ramifications of the misuse or misconfiguration of security mechanisms are not always intuitively obvious. Uninformed and insufficiently trained users can introduce vulnerabilities due to errors of omission and commission. The availability of documentation and training can help to ensure a knowledgeable cadre of personnel, all of whom have a critical role in the achievement of principles such as continuous protection. Documentation is written clearly and supported by training that provides security awareness and understanding of security-relevant responsibilities.

More Info

  • Title

    Security and Privacy Engineering Principles | Sufficient Documentation
  • Family

    System and Services Acquisition
  • NIST 800-53B Baseline(s)

    • Related NIST 800-53 ID

      AT-2;AT-3;SA-5

    NIST 800-53A Assessment Guidance

    CMMC Training

    Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!