Common security controls are assessed, implemented, and monitored at the organizational level or functional level, not the individual system level. Assessing, implementing, and monitoring controls for each individual system does not realize economies of scale benefits. Organizations can more efficiently leverage controls that benefit multiple systems by designating them as common controls and handling them at higher organizational or functional levels.