The following table lists the eighteen control families and each control’s associated class: operational, managerial, or technical. The two-letter identifier for each family is also listed. All the families in this table are closely related to the seventeen minimum security requirements for federal information and information systems required by FISMA that are detailed in FIPS 200, with the exception of Program Management (PM). The PM family provides organizational-level security controls that are normally not implemented by information systems but rather by the overall organization.
Id | Family | Class |
AC | Access Control | Technical |
AT | Awareness and Training | Operational |
AU | Audit and Accountability | Technical |
CA | Security Assessment and Authorization | Management |
CM | Configuration Management | Operational |
CP | Contingency Planning | Operational |
IA | Identification and Authentication | Technical |
IR | Incident Response | Operational |
MA | Maintenance | Operational |
MP | Media Protection | Operational |
PE | Physical and Environmental Protection | Operational |
PL | Planning | Management |
PM | Program Management | Management |
PS | Personnel Security | Operational |
RA | Risk Assessment | Management |
SA | System and Services Acquisition | Management |
SC | System and Communications Protection | Technical |
SI | System and Information Integrity | Operational |