Security controls that are not common controls are referred to as system-specific controls, and they are managed by the system owner to protect the individual system's confidentiality, integrity, and availability.
Security controls not designated as common controls are considered system-specific controls and are the responsibility of the information system owner. These controls are tailored to the specific needs of the system and protect its confidentiality, integrity, and availability. The purpose of system-specific controls is to address risks unique to the individual system, unlike common controls that apply to multiple information systems.
Common controls are usually operational within an organization and provide a foundation of security for multiple information systems, whereas system-specific controls are implemented for a particular system and managed by the system owner. These could include user access controls, data encryption, and system monitoring processes tailored to the individual system's requirements.
So, the system owner's responsibility is to implement and maintain the system-specific controls, ensuring that their information system is adequately protected against specific threats it faces.