Controls

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders.

Controls are selected and implemented by the organization in order to satisfy the system requirements. Controls can include technical aspects, administrative aspects, and physical aspects.

In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values.

The security and privacy requirements identified by the organization determine the need for appropriate controls to mitigate associated risks. Controls are then selected and implemented to satisfy these requirements effectively. This process extends beyond just system development. It encompasses organizational practices, ensuring that security and privacy considerations are integrated into all levels of the organization's life cycle.

(Sources: NIST SP 800-37, NIST SP 800-39)