The NIST Special Publication 800-53 defines all the categories that you verify for the FIPS 200 categories based on the risks as assess in the FIPS 199 document..
These are based on a document from the Federal Government that is probably designed to cover every aspect, such as GSA to FBI to CIA to FAA and so on. Therefore some of these that sound paranoid, draconian, and so on may make sense for a federal agency but not so much for us.
The 800-53 publication provides the following controls for each of the sections listed in the FIPS200 guide. These recommended controls are what we have used to help define standards and policies for the University.
Access Control AC-1 Access Control Policy and Procedures AC-2 Account Management AC-3 Access Enforcement AC-4 Information Flow Enforcement AC-5 Separation of Duties AC-6 Least Privilege AC-7 Unsuccessful Login Attempts AC-8 System Use Notification AC-9 Previous Logon (Access) Notification AC-10 Concurrent Session Control AC-11 Session Lock AC-12 Session Termination AC-13 Supervision and Review \x97 Access Control AC-14 Permitted Actions Without Identification Or Authentication AC-15 Automated Marking AC-16 Security Attributes AC-17 Remote Access AC-18 Wireless Access AC-19 Access Control For Mobile Devices AC-20 Use of External Information Systems AC-21 User-based Collaboration and Information Sharing AC-22 Publicly Accessible Content Awareness and Training AT-1 Security Awareness and Training Policy and Procedures AT-2 Security Awareness AT-3 Security Training AT-4 Security Training Records AT-5 Contacts With Security Groups and Associations Audit and Accountability AU-1 Audit and Accountability Policy and Procedures AU-2 Auditable Events AU-3 Content of Audit Records AU-4 Audit Storage Capacity AU-5 Response To Audit Processing Failures AU-6 Audit Review, Analysis, and Reporting AU-7 Audit Reduction and Report Generation AU-8 Time Stamps AU-9 Protection of Audit Information AU-10 Non-repudiation AU-11 Audit Record Retention AU-12 Audit Generation AU-13 Monitoring For Information Disclosure AU-14 Session Audit Security Assessment and Authorization CA-1 Security Assessment and Authorization Policies and Procedures CA-2 Security Assessments CA-3 Information System Connections CA-4 Security Certification CA-5 Plan of Action and Milestones CA-6 Security Authorization CA-7 Continuous Monitoring Configuration Management CM-1 Configuration Management Policy and Procedures CM-2 Baseline Configuration CM-3 Configuration Change Control CM-4 Security Impact Analysis CM-5 Access Restrictions For Change CM-6 Configuration Settings CM-7 Least Functionality CM-8 Information System Component Inventory CM-9 Configuration Management Plan Contingency Planning CP-1 Contingency Planning Policy and Procedures CP-2 Contingency Plan CP-3 Contingency Training CP-4 Contingency Plan Testing and Exercises CP-5 Contingency Plan Update CP-6 Alternate Storage Site CP-7 Alternate Processing Site CP-8 Telecommunications Services CP-9 Information System Backup CP-10 Information System Recovery and Reconstitution Identification and Authentication IA-1 Identification and Authentication Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-3 Device Identification and Authentication IA-4 Identifier Management IA-5 Authenticator Management IA-6 Authenticator Feedback IA-7 Cryptographic Module Authentication IA-8 Identification and Authentication (Non-organizational Users) Incident Response IR-1 Incident Response Policy and Procedures IR-2 Incident Response Training IR-3 Incident Response Testing and Exercises IR-4 Incident Handling IR-5 Incident Monitoring IR-6 Incident Reporting IR-7 Incident Response Assistance IR-8 Incident Response Plan Maintenance MA-1 System Maintenance Policy and Procedures MA-2 Controlled Maintenance MA-3 Maintenance Tools MA-4 Non-local Maintenance MA-5 Maintenance Personnel MA-6 Timely Maintenance Media Protection MP-1 Media Protection Policy and Procedures MP-2 Media Access MP-3 Media Marking MP-4 Media Storage MP-5 Media Transport MP-6 Media Sanitization Physical and Environmental Protection PE-1 Physical and Environmental Protection Policy and Procedures PE-2 Physical Access Authorizations PE-3 Physical Access Control PE-4 Access Control For Transmission Medium PE-5 Access Control For Output Devices PE-6 Monitoring Physical Access PE-7 Visitor Control PE-8 Access Records PE-9 Power Equipment and Power Cabling PE-10 Emergency Shutoff PE-11 Emergency Power PE-12 Emergency Lighting PE-13 Fire Protection PE-14 Temperature and Humidity Controls PE-15 Water Damage Protection PE-16 Delivery and Removal PE-17 Alternate Work Site PE-18 Location of Information System Components PE-19 Information Leakage Planning PL-1 Security Planning Policy and Procedures PL-2 System Security Plan PL-3 System Security Plan Update PL-4 Rules of Behavior PL-5 Privacy Impact Assessment PL-6 Security-related Activity Planning Program Management PM-1 Information Security Program Plan PM-2 Senior Information Security Officer PM-3 Information Security Resources PM-4 Plan of Action and Milestones Process PM-5 Information System Inventory PM-6 Information Security Measures of Performance PM-7 Enterprise Architecture PM-8 Critical Infrastructure Plan PM-9 Risk Management Strategy PM-10 Security Authorization Process PM-11 Missionbusiness Process Definition Personnel Security PS-1 Personnel Security Policy and Procedures PS-2 Position Categorization PS-3 Personnel Screening PS-4 Personnel Termination PS-5 Personnel Transfer PS-6 Access Agreements PS-7 Third-party Personnel Security PS-8 Personnel Sanctions Risk Assessment RA-1 Risk Assessment Policy and Procedures RA-2 Security Categorization RA-3 Risk Assessment RA-4 Risk Assessment Update RA-5 Vulnerability Scanning System and Services Acquisition SA-1 System and Services Acquisition Policy and Procedures SA-2 Allocation of Resources SA-3 Life Cycle Support SA-4 Acquisitions SA-5 Information System Documentation SA-6 Software Usage Restrictions SA-7 User-installed Software SA-8 Security Engineering Principles SA-9 External Information System Services SA-10 Developer Configuration Management SA-11 Developer Security Testing SA-12 Supply Chain Protection SA-13 Trustworthiness SA-14 Critical Information System Components System and Communications Protection SC-1 System and Communications Protection Policy and Procedures SC-2 Application Partitioning SC-3 Security Function Isolation SC-4 Information in Shared Resources SC-5 Denial of Service Protection SC-6 Resource Priority SC-7 Boundary Protection SC-8 Transmission Integrity SC-9 Transmission Confidentiality SC-10 Network Disconnect SC-11 Trusted Path SC-12 Cryptographic Key Establishment and Management SC-13 Use of Cryptography SC-14 Public Access Protections SC-15 Collaborative Computing Devices SC-16 Transmission of Security Attributes SC-17 Public Key Infrastructure Certificates SC-18 Mobile Code SC-19 Voice Over Internet Protocol SC-20 Secure Name Address Resolution Service (Authoritative Source) SC-21 Secure Name Address Resolution Service (Recursive Or Caching Resolver) SC-22 Architecture and Provisioning For Name Address Resolution Service SC-23 Session Authenticity SC-24 Fail in Known State SC-25 Thin Nodes SC-26 Honeypots SC-27 Operating System-independent Applications SC-28 Protection of Information At Rest SC-29 Heterogeneity SC-30 Virtualization Techniques SC-31 Covert Channel Analysis SC-32 Information System Partitioning SC-33 Transmission Preparation Integrity SC-34 Non-modifiable Executable Programs System and Information Integrity SI-1 System and Information Integrity Policy and Procedures SI-2 Flaw Remediation SI-3 Malicious Code Protection SI-4 Information System Monitoring SI-5 Security Alerts, Advisories, and Directives SI-6 Security Functionality Verification SI-7 Software and Information Integrity SI-8 Spam Protection SI-9 Information Input Restrictions SI-10 Information Input Validation SI-11 Error Handling SI-12 Information Output Handling and Retention SI-13 Predictable Failure Prevention