What is the typical order of implementing security controls?

In federal security practice, controls are treated in layers: common controls are built at the organizational level and can be inherited by many systems, providing a shared baseline of protection across the enterprise. Implementing these first establishes a consistent, enterprise-wide foundation before addressing system-specific needs. Next come the system-specific controls, which are tailored to the unique risk and environment of a particular information system, guided by NIST guidance such as 800-53 for the control catalog and 800-70 for security configurations. Finally, hybrid controls blend elements of both common and system-specific controls to address gaps that arise from the overlap or unique requirements of a system. This sequence—common controls first, then system-specific, then hybrid—avoids duplication, ensures a solid baseline, and then hones protections to the system’s specifics. Implementing all controls at once would be impractical, and starting with system-specific controls would miss the benefits of shared protections.