Common Controls and Inheritance

  1. Common Controls Inheritance

By Kathryn M. Farrish, CISSP

Common Controls are security controls whose implementation results in a security capability that is inheritable  by multiple information systems (IS). For example, the information systems hosted in a data center will typically inherit numerous security controls from the hosting provider, such as:

  • Physical and environmental security controls
  • Network boundary defense security controls

Other inheritance scenarios include agency or departmental-level policies or procedures that can be leveraged by all IS within the organization, organizationside security monitoring capabilities, public key infrastructures (PKI), etc. Organizations implementing common controls are referred to as Common Control Providers.

The obvious benefit of common controls is to eliminate the need for redundant development and operation of security controls by multiple system owners. Additionally, common controls provide for uniformity that would just not be possible if each

In order for an IS to inherit a particular security control, the following should be true:

  • The control is implemented and managed outside the system boundary of the inheriting IS
  • The Common Control Provider has designated the particular control as inheritable
  • The Common Control Provider has an Authorization to Operate (ATO) or equivalent evidence that the control is in fact in place

It is possible for an IS to inherit just part of a control from a Common Control Provider, with the remainder of the control provided within the system boundary. This is referred to as a hybrid control.

Also, it is possible for an IS to inherit a control from two or more Common Control Providers. For example, an IS whose system boundary spans multiple sites (i.e., a primary site and an alternate processing site) will most likely inherit physical and environmental security controls from the data center providers at both sites.


IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.