This publication provides a catalog of security and privacy controls for federal information systems. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, executive orders, policies, directives, regulations, standards, and/or mission/business needs.