U.S. Department of Health and Human Services
Page 2 of 12
NIST SP 800-53 Rev 3. is divided into 18 control families comprising three classes – Management, Operational, and Technical.
Management Controls: Focus on the management of the computer security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management, through policy and documentation.
Operational Controls: Address security issues related to mechanisms primarily implemented and executed by people (as opposed to systems). Often, they require technical or specialized expertise and rely upon management activities as well as technical controls.
Technical Controls: Technical controls are security controls that are configured within the system. Technical controls can provide automated protection for unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data.
Security Control Selection
Three Classes of Controls