Which statement best describes tailoring security controls in RMF?

Tailoring security controls in RMF means taking the standard control baseline and adjusting it to fit the system’s specific risk and operating environment during the Select step. You start with the baseline levels (low, moderate, high) and, based on how the system processes information, its architecture, and any unique mission needs, you add or remove controls, or modify how they’re implemented. You may also document compensating controls when a control isn’t applied in the usual way but other safeguards achieve the same protection. This customization ensures the control set is proportional to risk and practical for the environment, rather than applying every control indiscriminately. The rationale and changes are captured in the system’s security plan and related RMF artifacts as you proceed through Step 2.