Top Ten—Documentation Recommendations

By Lon J. Berman, CISSP  BAI Information Security

Supporting documentation (aka. artifacts) is key to providing evidence of compliance with security controls. Previously in this Newsletter we have spent some time describing the three fundamental classes of RMF documentation, to wit:

  • Policy. Policy documents describe what the organization does to provide for confidentiality, integrity and availability of systems information. In short, a policy document says “This is what we do.”
  • Procedure (SOP). Procedure documents describe how the various security features are implemented, in other words, “This is how we do it.”
  • Assurance. Assurance documents provide evidence that the SOPs are actually being carried out; in other words, “See? We’re actually doing it!”

With that background, here is our Top Ten list of documentation recommendations.

10. Where feasible, make use of a document management system with version control, check-in/out, etc.

9. Do not write SOPs “in a vacuum.” Be sure to engage with the people who actually carry out the procedures being documented.

8. Re-use existing documentation to the greatest extent possible. There’s no need to write a brand new Incident Response Plan “from scratch” if you’ve already got one; just make the necessary additions to ensure all the RMF controls are covered.

7. Do not be concerned with how many documents you create. So long as the numerous controls/CCIs are covered, it does not matter if you have one document or 100!

6. Obtain management signatures where appropriate. Policy documents should always be signed by organizational management. Key procedural documents (such as Contingency and Incident Response Plans) should likewise be signed as evidence of “management buy-in.”

5. Make sure all documentation is carefully reviewed and proofread. Errors in spelling and grammar will reflect poorly on the system owner. No need giving this sort of “negative vibe” to the independent assessors.

4. Make sure only the “latest and greatest” version of each document is provided to the assessor.

3. Include a “Change Log” with each policy and procedure document. This makes it easy to document ongoing document reviews and updates, which should be a key part of your continuous monitoring activities.

2. Make sure documents are properly assessed for information sensitivity (consult the organization’s Classification Guide as necessary). Unclassified documents should have appropriate information sensitivity marking (e.g., FOR OFFICIAL USE ONLY) on the cover and on each page’s top or bottom margin. For classified documents, be sure to follow marking requirements per DoD Instruction 5200.01.

1. Make sure document content is clearly traceable to the controls/CCIs being covered. This can be done with an index or table within each document or references loaded into eMASS or other support tool. One way or the other, the assessor needs to be able to clearly locate each CCI in a policy, a procedure, and, where applicable, an assurance document.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.