Which of the following is a Common Control Provider responsibility?

Common Controls are protections that are shared across many systems, provided by a dedicated function called the Common Control Provider. The provider’s role is to describe and maintain these controls so everyone knows what protections exist, how they’re implemented, and how to verify their effectiveness over time. That clear documentation is what enables systems to rely on the controls without duplicating effort for each system, and it supports authorization and ongoing monitoring. Penetration testing is an assessment activity performed to verify security, not the ongoing duty of maintaining shared protections. Incident response management belongs to the team that detects and responds to incidents, not to the function that provides the shared controls. Creating data backups is an operational safeguard usually handled by system owners or IT operations, not the provider of common controls.