Configuration Controls can be very specific to specific Products, Types, Classes, or Categories of Assets. Often calling out CI or CS that only found in specific Products, Types, etc. These specific Configuration Controls are identifiable by term phrases in quotations:
9610: Configure the "require AES encryption" setting to organizational standards.
The example above is only tied to a single Asset, making this a very specific CI CC.
Generic ADs are not as specific as Configuration ADs. Typically, Generic AD authors call out Types, Classes, or Categories of Assets rather than specific products. For this reason, it is best to use more generic, higher level CI CCs, when possible.
Best Practices for Generic ADs
Use Control to UCF Element Mappings and Citation to Control Mappings to inform your decisions.
- Use CI CCs that apply to more than 1 Type or Class of Asset.
- CI CCs that apply to Categories are typically broad and therefore acceptable.
- Err on the side of being too broad
- Avoid CI CCs that are specific to Products, when there is an applicable broader CI CC.
- Avoid CI CCs that have little or no Citations mapped, when there is an applicable broader CI CC. *
*Note, CI Controls that are tied to only 1 product and have little or no Citations mapped to them, so not provide much aid in cross-referencing with other ADs. Because of this, if there is a higher level, broader CI CC that also matches,