More Security Control Selection Phase 2 Q2-2022

  • First copy of the System Security Control Baseline prepared by the C&A Analyst is considered a draft until both the ISSO and the System Owner review it and agree with the control selected by the C&A analyst.
  • The process of finalizing the System Security Control Baseline is termed    Tailoring of the Security Control Baseline. The end result is the Finalized System Security Control Baseline.
  • The review of the System Security Control Baseline by the system owner and the ISSO is to identify controls that are Not Applicable (N/A), Common Control, System Specific or Hybrid.
  •   Sample System Security Control Baseline
  • Not Applicable- Is a control that cannot be test or implement because it is irrelevant to that particular system. For example, a publicly accessible website ( would not require log in credentials (username and password) Therefore IA-5 Authenticator Management  and IA-6 Authenticator Feedback     will not be implemented or tested.
  • Common Control/Inherited– Is a control that is provided by another system or department/business unit. For example, PS-1  Personnel Security Policy and Procedures is handled by the HR and not the responsibility of the System Owner in our Smart Portal test case
  • Hybrid-Control implementation is owned by two different system owners. For example, AT-2 Security Awareness Training for example HR prepares all IT security training material and the system owner ensures all of his/her staffs undertake the IT training and in addition, provide and keep records showing that training has been completed by staff members.
  • System Specific- Is a control that is not hybrid but maintained by only one System Owner. For example, CM-2 Configuration Settings in our smart Portal test case
error: Content is protected !!