When I get to step 4, I don't see how I enter policy and regulatory requirement as controls for the control objective.

In our test environment I have created a new control objective, default passwords and in the description I noted this relates to a framework, CSC , and a regulatory item under, PCIDSS.  This is what is entered.

-PCIDSS Vendor published defaults should not be used for system passwords and other security parameters
-CSC Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

Since these are group under the control objective I don't see where in the underlining control I note the two items again.

Thank you.