System and Services Acquisition¶

• a. Obtain or develop administrator documentation for the system, system component, or system service that describes:
  • 1. Secure configuration, installation, and operation of the system, component, or service;
  • 2. Effective use and maintenance of security and privacy functions and mechanisms; and
  • 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
• b. Obtain or develop user documentation for the system, system component, or system service that describes:
  • 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
  • 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
  • 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
• c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and
• d. Distribute documentation to [Assignment: organization-defined personnel or roles].

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services].

Restrict the location of [Selection: one or more of: information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements].