Now that we have finished classifying the system, the next step is to selected NIST recommended security controls that apply to the system’s classification (High, Moderate or Low).
The security controls selected is termed System Security Control Baseline. This is usual in a form of a spread sheet.
The security controls (e.g., AC-2) prescribe specific security-related activities or actions to be carried out by organizations or by information systems.
The security control enhancements (e.g., AC-2 (7)) provides statements of security capability to: (i) add functionality/specificity to a control; and/or (ii) increase the strength of a control.