Which types of controls are typically covered by RMF control families?

RMF control families are designed to address risk across people, processes, and technology, as well as the physical environment. They include administrative controls (policies, procedures, governance, training), technical controls (system safeguards like access control, configuration management, auditing, and identification/authentication), and physical controls (facility security and protection of hardware). The examples shown—AC, CM, CP, AU, IA—span control areas that cover both policy/operational aspects and technical safeguards, illustrating that RMF controls are not limited to one type. A holistic mix of administrative, technical, and physical controls is necessary to effectively manage risk, so the best answer is the one that includes all three categories.