What is the difference between common controls and system-specific controls in RMF?

In RMF, controls are defined with how broadly they apply and whether they can be shared across systems. Common controls are implemented at an organizational or program level and can be inherited by multiple information systems within that organization. This means one set of safeguards covers several systems, reducing duplication as these controls are applied broadly and monitored centrally. System-specific controls, on the other hand, are tailored to a particular system or boundary and are not automatically inherited by other systems; they address the unique environment, architecture, and risk of that single system. So the best way to think about it is: common controls provide shared protection across many systems, while system-specific controls are unique to a single system’s risk posture. The other statements don’t fit because common controls are not limited to security monitoring, they are not identical or interchangeable with system-specific controls, and system-specific controls are not inherited across multiple systems.