Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects NIST Risk Management Framework SP 800-53 Controls Control Overlay Repository

NIST Risk Management Framework RMF

NIST-developed Overlay Submissions

The NIST-developed category consists of overlay submissions published as part of NIST special publications. 

Select from overlays listed below for more information and to access the overlay.

Overlay Title Submitted by Overlay Description/Applicability
Operational Technology (OT) NIST The OT overlay is a partial tailoring of the controls and security baselines in SP 800-53, Revision 5, for Low, Moderate, and High-Impact (per FIPS 199) OT systems, with supplementary guidance specific to OT. Refer to SP 800-82r3, Appendix F, for the OT Overlay
Email Messaging Systems NIST Overlay for email messaging systems using the SP 800-53, Revision 4 controls. Email system is taken to mean any system (as defined by FIPS 199), that is said to generate, send, or store email messages for an enterprise. Refer to Appendix C for the Email Messaging Systems Overlay.
Cybersecurity Supply Chain Risk Management NIST Identification and augmentation of cybersecurity supply chain risk management (C-SCRM)-related controls in SP 800-53, Revision 5. Refer to SP 800-161r1, Appendix A, for the C-SCRM Controls. 
Controlled Unclassified Information (CUI) NIST Supplement to SP 800-171, Revision 3, identifying controls for protecting the confidentiality of Controlled Unclassified Information (CUI) based on SP 800-53, Revision 5, and SP 800-53B. The CUI overlay (.xlsx) is provided in the Supplemental Materials section of the SP 800-171 publication details page.
Control Overlays for Securing AI Systems  NIST The control overlays are an implementation-focused series of guidelines that address use cases involving different types of AI systems and specific AI system components (e.g., training and test data, model weights and configuration settings). Refer to the project page for additional information.

Return to Control Overlay Repository Overview

 

Disclaimer Statement
The National Institute of Standards and Technology (NIST) has established the Security Overlay Repository as a public service. Security control overlays are made available by NIST on an “AS IS” basis with NO WARRANTIES   Some submitted overlays may be available for free while others may be made available for a fee.  It is the responsibility of the User to comply with the Terms of Use of any given overlay. Overlay users are solely responsible for determining the appropriateness of using and distributing the security control overlays.  User assumes all risks associated with their use, including but not limited to compliance with applicable laws; damage to or loss of data, programs or equipment; and the unavailability or interruption of operation. NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY

 

Contacts

NIST Risk Management Framework Team
[email protected]

Created November 30, 2016, Updated February 10, 2026