U.S. Department of Health and Human Services
NIST SP 800-53 Rev.3 is divided into 18 control families comprising three classes:
Management Controls focus on the management of the information system and the management of risk for the system. They are techniques and concerns that are normally addressed by management.
Operational Controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems). They are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise and many times rely upon management activities, as well as technical controls.
Technical Controls concentrate on security controls that the computer system executes. The controls can provide automated protection for unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data.
Page 3 of 5
Development Phase Security
Security Control Class