Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Risk Management

SCOR Submission Process

The following process is to be followed by organizations when submitting overlays for inclusion in the SCOR:

  1. Organizations sanitize their security control overlay for public review and ensure overlay is based on NIST SP 800-53 security controls.
  2. Organizations complete and submits the following documents to overlays@list.nist.gov:
  3. NIST reviews the overlay for consistency with NIST standards and guidelines. NIST will evaluate the overlay using the below overlay technical criteria to ensure that it provides the appropriate level of protection commensurate with risk. NIST may request additional information about the security control overlay.
  4. Pending acceptance from NIST, the security control overlay will be posted to the NIST SCOR website.
  5. Organizations will be notified by e-mail of the NIST overlay review results and when the security control overlay is posted. 
  6. Organizations are responsible for notifying NIST if there are any updates to the submitted security control overlay and NIST SCOR Participation Agreement.  A security control overlay that is not updated within one year of a new SP 800-53 version being published will be removed and/or archived.

Submitting organizations need to include the following characteristics in their overlay submission.  NIST will be reviewing the below overlay characteristics as criteria to determine overlay applicability:

  1. Identification: Identify the overlay by providing: (i) a unique name for the overlay; (ii) a version number and date; (iii) the version of NIST Special Publication 800-53 used to create the overlay; (iv) author or authoring group and point of contact; (v) how long the overlay is to be in effect and any events that may trigger an update to the overlay.
  2. Overlay Characteristics: Describe the characteristics that define the intended use of the overlay in order to help potential users select the most appropriate overlay for their missions/business functions. This may include a description of: (i) the environment in which the system will be used; (ii) the type of information that will be processed, stored, or transmitted; (iii) the functionality within the system or the type of system; and (iv) other characteristics related to the overlay that help protect organizational missions/business functions, systems, or information from a specific set of threats.
  3. Applicability: Provide criteria to assist potential users of the overlay in determining whether or not the overlay applies to a particular system or environment of operation. Typical formats include, for example, a list of questions based on the description of the characteristics of the system and associated applications.
  4. Overlay Summary: Provide a brief summary of the significant characteristics of the overlay. This summary may include, for example: (i) the security controls and control enhancements that are affected by the overlay; (ii) an indication of which controls/enhancements are selected or not selected based on the characteristics and assumptions in the overlay, the tailoring guidance, or any organization-specific guidance; and (iii) references to applicable laws, Executive Orders, directives, instructions, regulations, policies, or standards.
  5. Detailed Overlay Control Specifications: Provide: (i) justification for selecting or not selecting a specific security control/control enhancement; (ii) modifications to the supplemental guidance or the addition of new supplemental guidance for the security controls and control enhancements to address the characteristics of the overlay and the environments in which the overlay is intended to operate; (iii) specific statutory and/or regulatory requirements (above and beyond FISMA) that are met by a security control or control enhancement; (iv) recommendations for compensating controls, as appropriate; and (v) guidance that extends the basic capability of the control/enhancement by specifying additional functionality, altering the strength of mechanism, or adding or limiting implementation options.
  6. Tailoring Considerations: Provide information on the tailoring process when determining the set of security controls applicable to the specific information system. This is especially important for overlays that are used in an environment of operation different from the one assumed by the security control baselines.
  7. Definitions: Provide any terms and associated definitions that are unique and relevant to the overlay. List terms and definitions in alphabetical order. If there are no unique terms or definitions for the overlay, state this in this section.
  8. Additional Information or Instructions: Provide any additional information or instructions relevant to the overlay not covered in the previous sections.   

Return to Security Control Overlay Repository Main Page

 

Disclaimer Statement The National Institute of Standards and Technology (NIST) has established the Security Overlay Repository as a public service. Security control overlays are made available by NIST on an “AS IS” basis with NO WARRANTIES   Some submitted overlays may be available for free while others may be made available for a fee.  It is the responsibility of the User to comply with the Terms of Use of any given overlay. Overlay users are solely responsible for determining the appropriateness of using and distributing the security control overlays.  User assumes all risks associated with their use, including but not limited to compliance with applicable laws; damage to or loss of data, programs or equipment; and the unavailability or interruption of operation. NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY

Created November 30, 2016, Updated September 25, 2019