Notes on how to read controls

The identifier numbers for controls (e.g., AC-3) and enhancements (e.g., SI-7 (9)) refer to the corresponding control templates given in NIST SP 800-53. Not all controls from NIST SP 800-53 are relevant to any given device class; those controls that do not apply to a given device class are not. This explains why control identifiers appear basically sequential but skip some identifiers (for example, for the Access Control control family for Device Class 1, only controls AC-3, AC-4, AC-6, A-7, AC-8, AC-11, AC-12, and AC-17 are included).

Organizational controls have been defined, but only noted if they are a direct reference from a device control, and not customized. Some device controls include organizational components. No 'approved mechanisms' are provided, with the exception of when those components are directly relevant to the device development phase of the system life cycle.

In some instances we distinguish between the Device and the Application. An application is specifically defined in this case to be a piece of software operating on the device to provide some C-ITS function. All other software on the device is "part of" the device.

The term Information System is synonymous with the 'Device.'

Additional contextual information for how controls were applied provides clarification related to access control, service identification and authentication.