The following table lists the eighteen control families and each control’s associated class: operational, managerial, or technical. The two-letter identifier for each family is also listed. All the families in this table are closely related to the seventeen minimum security requirements for federal information and information systems required by FISMA that are detailed in FIPS 200, with the exception of Program Management (PM). The PM family provides organizational-level security controls that are normally not implemented by information systems but rather by the overall organization.
|AT||Awareness and Training||Operational|
|AU||Audit and Accountability||Technical|
|CA||Security Assessment ...|