What type of controls are labeled as 'Common Control' in SP 800-53?

Common Controls, as defined in SP 800-53, refer to those security controls that are implemented at the organizational level rather than on a system-specific basis. This classification indicates that the controls provide a baseline of security measures that benefit multiple systems or the entire organization. By implementing these controls at the organizational level, rather than on a case-by-case basis for individual information systems, an organization can achieve a cohesive security posture and ensure that fundamental protections are consistent across its various systems.

This approach allows organizations to manage their security controls more efficiently, as the same controls can be applied to different systems that share similar risk factors. Additionally, it facilitates compliance by ensuring that all systems are held to the same security standards, which is essential for organizations that handle sensitive information and must adhere to regulatory requirements.

In contrast, controls designed specifically for systems would be tailored to the unique requirements or risks of a specific application or information system and would not generally be classified as common controls. Options focusing on external vendors or incident response pertain to specialized contexts and do not reflect the broad applicability that defines common controls.