Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects NIST Risk Management Framework SP 800-53 Controls Control Overlay Repository

NIST Risk Management Framework RMF

SCOR Submission Process

Overlay Submission Documents 

All documents must be complete and submitted to sec-cert@nist.gov for inclusion in the SCOR. 

Download All Files

Download all files below as .ZIP or select individual files from list

Submission Form

Participation Agreement (Public Org) and Participation Agreement (Federal Gov)

Overlay Technical Criteria 
(Not a download; references section below)

 

Overview of the SCOR Submission Process

  1. Organizations sanitize their security control overlay for public review and ensure overlay is based on NIST SP 800-53 security controls.
  2. Organizations complete and submits the following documents to sec-cert@nist.gov:
  3. NIST reviews the overlay for consistency with NIST standards and guidelines. NIST will evaluate the overlay using the overlay technical criteria to ensure that it provides the appropriate level of protection commensurate with risk. NIST may request additional information about the control overlay.
  4. Organizations will be notified by e-mail of the NIST overlay review results and when the control overlay is posted. 
  5. If the overlay is accepted, the control overlay will be posted to the NIST SCOR website.

Organizations are responsible for notifying NIST if there are any updates to the submitted control overlay and NIST SCOR Participation Agreement.  Control overlays will be updated within one year of a new SP 800-53 revision (final publication), or will be removed and/or archived.

Overlays include the following sections and technical content: 

  1. Identification: Identify the overlay by providing: (i) a unique name for the overlay; (ii) a version number and date; (iii) the version of NIST Special Publication 800-53 used to create the overlay; (iv) author or authoring group and point of contact; (v) how long the overlay is to be in effect and any events that may trigger an update to the overlay.
  2. Overlay Characteristics: Describe the characteristics that define the intended use of the overlay in order to help potential users select the most appropriate overlay for their missions/business functions. This may include a description of: (i) the environment in which the system will be used; (ii) the type of information that will be processed, stored, or transmitted; (iii) the functionality within the system or the type of system; and (iv) other characteristics related to the overlay that help protect organizational missions/business functions, systems, or information from a specific set of threats.
  3. Applicability: Provide criteria to assist potential users of the overlay in determining whether or not the overlay applies to a particular system or environment of operation. Typical formats include, for example, a list of questions based on the description of the characteristics of the system and associated applications.
  4. Overlay Summary: Provide a brief summary of the significant characteristics of the overlay. This summary may include, for example: (i) the security controls and control enhancements that are affected by the overlay; (ii) an indication of which controls/enhancements are selected or not selected based on the characteristics and assumptions in the overlay, the tailoring guidance, or any organization-specific guidance; and (iii) references to applicable laws, Executive Orders, directives, instructions, regulations, policies, or standards.
  5. Detailed Overlay Control Specifications: Provide: (i) justification for selecting or not selecting a specific security control/control enhancement; (ii) modifications to the supplemental guidance or the addition of new supplemental guidance for the security controls and control enhancements to address the characteristics of the overlay and the environments in which the overlay is intended to operate; (iii) specific statutory and/or regulatory requirements (above and beyond FISMA) that are met by a security control or control enhancement; (iv) recommendations for compensating controls, as appropriate; and (v) guidance that extends the basic capability of the control/enhancement by specifying additional functionality, altering the strength of mechanism, or adding or limiting implementation options.
  6. Tailoring Considerations: Provide information on the tailoring process when determining the set of security controls applicable to the specific information system. This is especially important for overlays that are used in an environment of operation different from the one assumed by the security control baselines.
  7. Definitions: Provide any terms and associated definitions that are unique and relevant to the overlay. List terms and definitions in alphabetical order. If there are no unique terms or definitions for the overlay, state this in this section.
  8. Additional Information or Instructions: Provide any additional information or instructions relevant to the overlay not covered in the previous sections.   

 

Return to Control Overlay Repository Overview

Disclaimer Statement
The National Institute of Standards and Technology (NIST) has established the Security Overlay Repository as a public service. Security control overlays are made available by NIST on an “AS IS” basis with NO WARRANTIES   Some submitted overlays may be available for free while others may be made available for a fee.  It is the responsibility of the User to comply with the Terms of Use of any given overlay. Overlay users are solely responsible for determining the appropriateness of using and distributing the security control overlays.  User assumes all risks associated with their use, including but not limited to compliance with applicable laws; damage to or loss of data, programs or equipment; and the unavailability or interruption of operation. NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY

Contacts

NIST Risk Management Framework Team
sec-cert@nist.gov

Created November 30, 2016, Updated April 10, 2024