The organization:
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system.
