What are Common Controls?
Common controls are security controls that can support multiple information systems efficiently and effectively as a common capability. They typically define the foundation of a system security plan. Common controls are the security controls you need to do the most work to identify when developing your risk-based cybersecurity strategy and your system security plan using the Risk Management Framework (RMF).
Common controls can be any type of security control or protective measures used to meet the confidentiality, integrity, and availability of your information system. They are the security controls you inherit as opposed to the security controls you select and build yourself. They come in lots of flavors including: management constraints, personnel security, security of physical structures like locks, fences, access control, ID badges, etc.. Technical security controls include the host of hardware, software, and firmware components designed to protect your digital assets and its availability. Things can get pretty complicated pretty fast when you start to analyze your portfolio of common controls.
The Common Control Conundrum
Common controls are a conundrum for all system owners. Why? Because common controls are ever present, and at the same time, very difficult to identify and bring into compliance. Many questions have to be answered:
- What are all of the common controls?
- Which controls are acceptable based on your threat profile?
- Which ones do you need to enhance to meet your security requirements?
- How many of the controls do the same things?
- What controls were you expecting as part of your IT system, only to find out that they are not?
Specific Common Control Challenges
Anyone who has ever developed federated log-ins across a range of platforms has first hand experience in the complexity of dealing with just the password and system access rules and security controls that need to be integrated into a security solution. Common controls can touch many more points of your information system.
Another challenge in managing your portfolio of common controls is that more than one control can address the same security risk. Multiple sets of application permissions that provide users with access to services, different physical access control safeguards that deal with access to different components each with their own unique or slightly nuanced way of addressing the physical access control risks. Analyzing common controls requires attention to the function and effectiveness of the control in light of your unique security posture.
When building your common control portfolio you need to understand who owns each common controls. Common controls are part of the organization’s shared infrastructure whether you host your applications in the cloud, on-premises or some combination. System owners need to understand who the common control provider is and how the provider manages risk related to those controls and how they manage changes to those controls when new threats or vulnerabilities are found. The common control provider is responsible for:
- Documenting common controls in a security plan;
- Ensuring that common controls are developed, implemented, and assessed for effectiveness by qualified assessors with a level of independence required by the organization;
- Documenting assessment findings in a security assessment report;
- Producing a plan of action and milestones for all common controls deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the controls);
- Receiving authorization for the common controls from the designated authorizing official; and
- Monitoring common control effectiveness on an ongoing basis.
The common control provider needs to have the capability to rapidly broadcast changes in the status of common controls that adversely affect the protections being provided by and expected of the common controls. Your common control portfolio analysis needs to document these aspects of how the controls will be managed just as you need to document your system-specific security controls.
How To Address These Challenges
Build your portfolio of common controls first and determine the boundaries of the security they provide for your information system. Once the rules of engagement for these common controls are defined, you will be in a better position to understand the scope of the system specific-controls you’ll need to deploy, which common controls need to be tailored for your specific threat profile and what tools you’ll need for continuous monitoring in your risk management framework based cybersecurity strategy.