C&A analyst selects Recommended controls from NIST SP 800-53 base on the system categorization -Low, Moderate or High to develop the Security Control Baseline draft
C&A Analyst provides Draft of the Security Control Baseline to the ISSO and the System Owner for review
ISSO and System Owner identify common control, Hybrid control, System Specific Control and Control Not applicable
The above process is called Tailoring of Security control baseline
Final Security Control Baseline is created after system owner and ISSO review and tailor the security control baseline