Which activity best describes tailoring security controls in RMF Step 2?

Tailoring security controls means taking the standard control baseline and adjusting it to the specifics of the system’s risk posture and operating environment. This involves adding controls that address unique risks, modifying controls to reflect environmental constraints, or removing controls that aren’t applicable, so the resulting control set provides adequate protection without unnecessary burden. In RMF Step 2, this tailoring step ensures the controls are aligned with the system’s impact levels, mission needs, and environment before finalizing which controls to implement. For example, if a system handles highly sensitive data in a cloud environment, you might add compensating controls or strengthen encryption and monitoring, or you might remove controls that don’t apply to a purely virtual setup. This captures the essence of tailoring: adjusting the baseline to fit risk and environment through that step. The other approaches—replacing all controls, rolling back changes after risk assessment, or selecting only from the baseline without modification—do not reflect the tailoring process, which is about customizing the control set rather than wholesale replacement or rigid adherence.