Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

NIST-developed Overlay Submissions

The government-wide category consists of overlay submissions from commercial, educational, or non-profit organizations. 

Select from overlays listed below for more information and to access the overlay.

Overlay Title Submitted by Overlay Description/Applicability
Industrial Control Systems (ICS) NIST The ICS overlay is a partial tailoring of the controls and control baselines in SP 800-53, Revision 4, for Low, Moderate and High-Impact (per FIPS 199) ICS, with supplementary guidance specific to ICS. Refer to Appendix G in SP 800-82 for the ICS Overlay. 
Email Messaging Systems NIST Overlay for email messaging systems using the SP 800-53, Revision 4 controls. Email system is taken to mean any system (as defined by FIPS 199), that is said to generate, send, or store email messages for an enterprise. Refer to Appendix C for the Email Messaging Systems Overlay.
ICT Supply Chain Risk Management NIST Identification and augmentation of information and communications technology (ICT) supply chain risk management (SCRM)-related controls in SP 800-53, Revision 4.  Refer to Chapter 3 for the ICT SCRM Controls. 


Return to Control Overlay Repository Overview


Disclaimer Statement
The National Institute of Standards and Technology (NIST) has established the Security Overlay Repository as a public service. Security control overlays are made available by NIST on an “AS IS” basis with NO WARRANTIES   Some submitted overlays may be available for free while others may be made available for a fee.  It is the responsibility of the User to comply with the Terms of Use of any given overlay. Overlay users are solely responsible for determining the appropriateness of using and distributing the security control overlays.  User assumes all risks associated with their use, including but not limited to compliance with applicable laws; damage to or loss of data, programs or equipment; and the unavailability or interruption of operation. NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY


Created November 30, 2016, Updated April 10, 2024