Which reference provides fundamentals for selecting controls?

Fundamentals for selecting controls are provided by NIST SP 800-53 Fundamentals. This document lays out the overarching approach to choosing security controls, including how to identify control families, establish baselines, and tailor controls to a system’s risk, mission, and environment within the Risk Management Framework. It gives the foundational guidance agencies use to decide which controls to implement and how to justify them in authorization packages. The other references relate to parts of the process but not the broad fundamentals. SP 800-60 guides mapping information types to security categories and informs what levels of controls might be appropriate, rather than giving the core selection method. FIPS 199 defines the security categories themselves. CNSSI-1253 discusses categorization and control selection in a federal context, but focuses on aligning processes with existing standards rather than providing the primary fundamentals for control selection.