This publication provides security and privacy control baselines for the Federal Government.
There are three security control baselines (one for each system impact level—low-impact,
moderate-impact, and high-impact), as well as a privacy baseline that is applied to systems
irrespective of impact level. In addition to the control baselines, this publication provides
tailoring guidance and a set of working assumptions that help guide and inform the control
selection process. Finally, this publication provides guidance on the development of overlays to
facilitate control baseline customization for specific communities of interest, technologies, and
environments of operation.