An overlay is a fully-specified set of controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance to control baselines. For more information about Control Overlays, NIST Special Publication NIST SP 800-53 Rev 4., Section 3.3 Creating Overlays, and Appendix I, Overlay Template.
Overlays complement the SP 800-53 security control baseline by:
Providing the opportunity to add or eliminate controls;
Providing security control applicability and interpretations for specific information technologies, computing paradigms, environments of operation, types of information systems, types of missions/operations, operating modes, industry sectors, and statutory/regulatory requirements;
- Establishing community-wide parameter values for assignment and/or selection statements in security controls and control enhancements; and
- Extending the supplemental guidance for security controls, where necessary.
Overlays can be developed for each information technology area or for unique circumstances/environments, for example, cloud-based systems, industrial control systems, High Value Assets, or systems controlling safety-thus achieving standardized security capabilities, consistency of implementation, and cost-effective security solutions.
Overlays also provide an opportunity to build consensus across communities of interest and develop security plans for organizational information systems that have broad-based support for very specific circumstances, situations, and/or conditions.
Categories of overlays that may be useful include, for example:
- Communities of interest, industry sectors, or coalitions/partnerships (e.g., systems engineers, software developers, mission/business owners, healthcare, financial, transportation, energy);
- Information technologies/computing paradigms (e.g., cloud/mobile, PKI, Smart Grid);
- Environments of operation (e.g., space, tactical, sea);
- Types of information systems and operating modes (e.g., industrial/process control systems, weapons systems, single-user systems, standalone systems, IoT devices, sensors);
- Types of missions/operations (e.g., counterterrorism, first responders, research, development, test, and evaluation); and
- Statutory/regulatory requirements (e.g., Foreign Intelligence Surveillance Act, Health Insurance Portability and Accountability Act, Privacy Act, FISMA).
Return to Security Control Overlay Repository Main Page