Assessors note which security or privacy controls (or parts of such controls) in security plans or privacy plans are designated as common controls.32 Since the assessment of common controls is the responsibility of the organizational entity that developed and implemented the controls (i.e., common control provider), the assessment procedures in Appendices F and J used to assess these controls incorporate assessment results from that organizational entity. Common controls may have been previously assessed as part of the organization’s information security program or privacy program or as part of an information system providing common controls inherited by other organizational systems. There may also be separate plans to assess common controls. In either situation, information system owners coordinate the assessment of common controls with appropriate organizational officials (e.g., chief information officer, senior information security officer, senior agency official for privacy/chief privacy officer, mission/information owners, authorizing officials) obtaining the results of common control assessments or, if the common controls have not been assessed or are due to be reassessed, making the necessary arrangements to include or reference the common control assessment results in the current assessment.33

Another consideration in assessing common controls is that there are occasionally system-specific aspects of a common control that are not covered by the organizational entities responsible for the common aspects of the control. These types of controls are referred to as hybrid controls. For example, CP-2, the contingency planning security control, may be considered a hybrid control by the organization if there is a contingency plan developed by the organization for all organizational information systems. Following up on the initial contingency plan, information system owners are expected to adjust or tailor the contingency plan as necessary, when there are specific aspects of the plan that need to be defined for the particular system where the control is employed. For each hybrid control, assessors include in security assessment plans or privacy assessment plans, the portions of the assessment procedures from Appendices F or J related to the parts of the control that are system-specific to ensure that, along with the results from common control assessments, all aspects of the control are assessed.