NIST 800-53 r5 · Controls catalogue · Family SA
SA-5System Documentation
Obtain or develop administrator documentation for the system, system component, or system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security and privacy functions and mechanisms; and Known vulnerabilities regarding configuration and use of administrative or privileged functions; Obtain or develop user documentation for the system, system component, or system service that describes: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and Distribute documentation to {{ insert: param, sa-05_odp.02 }}.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: partial · 4 mapping(s) from 1 framework(s): ASVS 5.0 4 (partial)
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 5,367 | Guidance on effective use of access control mechanisms and known configuration vulnerabilities makes improper access control harder to exploit. |
CWE-306 | Missing Authentication for Critical Function | 2,820 | Secure configuration documentation explicitly addresses enabling authentication for critical functions, reducing missing authentication exposures. |
CWE-798 | Use of Hard-coded Credentials | 2,013 | Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,874 | Documentation covering secure installation and permission settings reduces incorrect permission assignments on critical resources. |
CWE-276 | Incorrect Default Permissions | 1,789 | Administrator documentation on secure configuration and default settings prevents incorrect default permissions from remaining in place. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 335 | Secure configuration and installation documentation prevents initialization of resources with insecure defaults. |
CWE-250 | Execution with Unnecessary Privileges | 333 | Documentation on secure operation of privileged functions and known vulnerabilities directly reduces execution with unnecessary privileges. |
CWE-521 | Weak Password Requirements | 308 | User documentation on maintaining security includes password requirements, directly mitigating weak password policies. |
CWE-1392 | Use of Default Credentials | 104 | Documentation of known configuration vulnerabilities and secure setup practices reduces reliance on default credentials. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||