Can you provide guidance on designating controls as common, system-specific, and hybrid?

Arlington Security Portal - Show on: Side Bar

Proper control designation is critical, thus, it’s important to clearly understand the difference between common, system-specific, and hybrid.

Common Controls: Security controls that are inheritable by one or more organizational systems and are typically provided by the organization or the infrastructure.

Per NIST, “Many of the security controls needed to protect organizational information systems (e.g., contingency planning controls, incident response controls, security training and awareness controls, personnel security controls, physical and environmental protection controls, and intrusion detection controls) are excellent candidates for common control status. Information security program management controls may also be deemed common controls….”^{^[1]}

System-Specific Controls: Security controls specific to a system (that is, inherited at the system level and not inherited by any other system) and are the direct responsibility of the ISSO/ISSM. An example of a system-specific control would be passwords used for accessing the actual system.

Hybrid Controls: A security or privacy control that is implemented for an information system in part as a common control and in part as a system-specific control.

An example of a hybrid control would be Security Awareness security control (AT-2), for which general organization wide security awareness training is provided as a common capability, yet with focused security awareness training provided for the specific information system also.

Additionally, when developing your continuous monitoring program (ConMon), it’s important to assign each control number with the applicable security control designation as either system-specific, hybrid, or common.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO. Core services and solutions offered include the following:

Scoping & Gap (i.e., Readiness) Assessments
Remediation Services (Policy and Procedures writing)
Remediation Services (Technical and Operational)
System Security Plan (SSP) Development
Completion of eMASS Export Control Spreadsheets
Continuous Monitoring (ConMon) Service

^{^[1]} https://csrc.nist.gov/csrc/media/projects/risk-management/documents/select/faq-select-step2.pdf

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Learn More

DoD Strategy & Advisory

FedRAMP for DOD Contractors

TPRM & Supply Chain

NISP eMASS DCSA

Cybersecurity

Config. Mgmt.

NIST 800-171

Data Privacy

DoD Cloud Security

CMMC

vCO & vCISO

Awareness / Threat Training

Risk Assessments

FISMA

CP & IR

Non-DoD NIST RMF

About Arlington

Expertise

Focus

Values

DoD Briefs

Case Studies

FAQ's

Can you provide guidance on designating controls as common, system-specific, and hybrid?

Arlington Security Portal

SERVICES

RESOURCES

ABOUT