RMF STEP 2 - SELECT SECURITY CONTROLS

The security control baseline is established by determining specific controls required to protect the system based on the security categorization of the system. The baseline is tailored and supplemented in accordance with an organizational assessment of risk and local parameters. The security control baseline, as well as the plan for monitoring it, is documented in the security plan.

Common controls are security controls that are inherited by one or more organizational information systems. The organization consults information system owners when identifying common controls to ensure that the security capability provided by the inherited controls is sufficient to deliver adequate protection. When the common controls provided by the organization are not sufficient for information systems inheriting the controls, the system owners supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system and/or accept greater risk. Common control providers are responsible for: (i) documenting common controls in a security plan (or equivalent document prescribed by the organization); (ii) ensuring that common controls are developed, implemented, and assessed for effectiveness by qualified assessors with a level of independence required by the organization; (iii) documenting assessment findings in a security assessment report; (iv) producing a plan of action and milestones for all common controls deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the controls); (v) receiving authorization for the common controls from the designated authorizing official; and (vi) monitoring common control effectiveness on an ongoing basis.

The security controls are selected based on the security categorization of the information system. The security control selection process includes, as appropriate: (i) choosing a set of baseline security controls; (ii) tailoring the baseline security controls by applying scoping, parameterization, and compensating control guidance; (iii) supplementing the tailored baseline security controls, if necessary, with additional controls and/or control enhancements to address unique organizational needs based on a risk assessment (either formal or informal) and local conditions including environment of operation, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances; and (iv) specifying minimum assurance requirements, as appropriate.