What is a security control implementation status and where is it tracked?

Understanding how security control implementation status is tracked is about capturing the current state of each control’s implementation and where that status is maintained for visibility and governance. The most appropriate place is where you document and monitor controls as part of the authorization and risk management process: the System Security Plan (SSP) shows each control with its implementation status and responsible owner, the risk register records gaps and residual risk tied to those controls, and the RMF repository stores the control evidence, assessments, and authorization decisions. This combination provides a single, up-to-date view of what’s implemented, what’s pending, and what remains to be mitigated. The other options don’t fit because a project plan is not the authoritative source for live control status, a security policy describes rules rather than the current implementation state, and user surveys don’t reliably measure technical implementations.