Services 
An IA Control describes an objective IA condition achieved through the application of specific safeguards or through the regulation of specific activities. The objective condition is testable, compliance is measurable, and the activities required to achieve the IA Control are assignable and thus accountable. DoDI 8500.2, Enclosure 3, establishes fundamental IA requirements for DoD Information Systems in the form of two sets of graded baseline IA Controls.
The baseline sets of IA controls are pre-defined based on the determination of the Mission Assurance Category (“MAC") and Confidentiality Levels. IA Controls addressing availability and integrity requirements are tied to the system's MAC based on the importance of the information to the mission, particularly the war fighters' combat mission. IA Controls addressing confidentiality requirements are based on the sensitivity or classification of the information.The set of IA Controls applicable to any given DoD information system is always a combination of the IA Controls for its Mission Assurance Category and the IA Controls for its Confidentiality Level.
These baseline IA levels are achieved by applying the specified set of IA Controls in a comprehensive IA program that includes acquisition, proper security engineering, connection management, and IA administration.An IA Control describes an objective IA condition achieved through the application of specific safeguards or through the regulation of specific activities. The objective condition is testable, compliance is measurable, and the activities required to achieve the IA Control are assignable and thus accountable.
Below is a chart of the number of controls by DoDI 8500.2 IA control subject area. The number of controls required for accreditation under DIACAP will vary by the Mission Assurance Category and Classification of the system being certified. For the most part, systems will higher MAC/CL will be required to meet a greater number of controls due to higher availability and integrity thresholds.
DoDI 8500.2 IA Control Matrix:
| Abbreviation | Subject Area | Number of Controls in Subject Area |
| DC | Security Design & Configuration | 31 |
| IA | Identification and Authentication | 9 |
| EC | Enclave and Computing Environment | 48 |
| EB | Enclave Boundary Defense | 8 |
| PE | Physical and Environmental | 27 |
| PR | Personnel | 7 |
| CO | Continuity | 24 |
| VI | Vulnerability and Incident Management | 3 |
| Total | 8500.2 IA Controls | 157 |
DoDI 8500.2 IA Control Breakdown:
Control Subject Area: One of eight groups indicating the major subject or focus area to which an individual IA Control is assigned.
Control Name: A brief title phrase that describes the individual IA Control.
Control Text: One or more sentences that describe the IA condition or state that the IA Control is intended to achieve.
Control Number: A unique identifier comprised of four letters, a dash, and a number. The first two letters are an abbreviation for the subject area name and the second two letters are an abbreviation for the individual IA Control Name.
