NIST 800-53 r5 · Controls catalogue · Family SA
SA-5System Documentation
Obtain or develop administrator documentation for the system, system component, or system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security and privacy functions and mechanisms; and Known vulnerabilities regarding configuration and use of administrative or privileged functions; Obtain or develop user documentation for the system, system component, or system service that describes: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and Distribute documentation to {{ insert: param, sa-05_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Guidance on effective use of access control mechanisms and known configuration vulnerabilities makes improper access control harder to exploit. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Secure configuration documentation explicitly addresses enabling authentication for critical functions, reducing missing authentication exposures. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Documentation covering secure installation and permission settings reduces incorrect permission assignments on critical resources. |
CWE-276 | Incorrect Default Permissions | 1,757 | Administrator documentation on secure configuration and default settings prevents incorrect default permissions from remaining in place. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Documentation on secure operation of privileged functions and known vulnerabilities directly reduces execution with unnecessary privileges. |
CWE-521 | Weak Password Requirements | 303 | User documentation on maintaining security includes password requirements, directly mitigating weak password policies. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 300 | Secure configuration and installation documentation prevents initialization of resources with insecure defaults. |
CWE-1392 | Use of Default Credentials | 89 | Documentation of known configuration vulnerabilities and secure setup practices reduces reliance on default credentials. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||