Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-5System Documentation

Obtain or develop administrator documentation for the system, system component, or system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security and privacy functions and mechanisms; and Known vulnerabilities regarding configuration and use of administrative or privileged functions; Obtain or develop user documentation for the system, system component, or system service that describes: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and Distribute documentation to {{ insert: param, sa-05_odp.02 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 4 mapping(s) from 1 framework(s): ASVS 5.0 4 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (9)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Guidance on effective use of access control mechanisms and known configuration vulnerabilities makes improper access control harder to exploit.
CWE-306Missing Authentication for Critical Function2,820Secure configuration documentation explicitly addresses enabling authentication for critical functions, reducing missing authentication exposures.
CWE-798Use of Hard-coded Credentials2,013Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Documentation covering secure installation and permission settings reduces incorrect permission assignments on critical resources.
CWE-276Incorrect Default Permissions1,789Administrator documentation on secure configuration and default settings prevents incorrect default permissions from remaining in place.
CWE-1188Initialization of a Resource with an Insecure Default335Secure configuration and installation documentation prevents initialization of resources with insecure defaults.
CWE-250Execution with Unnecessary Privileges333Documentation on secure operation of privileged functions and known vulnerabilities directly reduces execution with unnecessary privileges.
CWE-521Weak Password Requirements308User documentation on maintaining security includes password requirements, directly mitigating weak password policies.
CWE-1392Use of Default Credentials104Documentation of known configuration vulnerabilities and secure setup practices reduces reliance on default credentials.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SA

SA-1 SA-10 SA-11 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-24 SA-3 SA-4 SA-6 SA-7 SA-8 SA-9