NIST Risk Management Framework RMF
Security and Privacy Control Overlay Overview
What is a Control Overlay?
An overlay offers organizations additional customization options for control baselines and may be a fully specified set of controls, control enhancements, and other supporting information (e.g., parameter values) derived from the application of tailoring guidance to SP 800-53B control baselines, or derived independently of control baselines. Overlays also provide an opportunity to build consensus across communities of interest and develop a starting point of controls that have broad-based support for very specific circumstances, situations, and/or conditions.
NIST Special Publication SP 800-53B, Control Baselines for Information Systems and Organizations, Appendix C provides additional guidance on Overlays and Chapter 3 provides guidance on tailoring to help ensure that control implementations accurately reflect security and privacy requirements for each system, system component, and operational environment to which the overlay is applied.
Why Develop Control Overlays?
Overlays are developed to apply to multiple systems within a community of interest and provide:
- an opportunity for the community of interest to add, modify, or eliminate controls from a baseline
- control applicability and interpretations for specific technologies, environments of operation, types of systems, types of missions/operations, industry sectors, and statutory/regulatory requirements
- an opportunity to determine parameter values for assignment and selection operations in controls and control enhancements
Who Can Use Overlays?
Any stakeholder and community of interest. Categories of overlays that may be useful include, for example:
- Communities of interest, industry sectors, or coalitions/partnerships (e.g., systems engineers, software developers, mission/business owners, healthcare, financial, transportation, energy);
- Information technologies/computing paradigms (e.g., cloud/mobile, PKI, Smart Grid);
- Environments of operation (e.g., space, tactical, sea);
- Types of information systems and operating modes (e.g., industrial/process control systems, weapons systems, single-user systems, standalone systems, IoT devices, sensors);
- Types of missions/operations (e.g., counterterrorism, first responders, research, development, test, and evaluation); and
- Statutory/regulatory requirements (e.g., Foreign Intelligence Surveillance Act, Health Insurance Portability and Accountability Act, Privacy Act, FISMA).
Return to Control Overlay Repository Overview
Created November 30, 2016, Updated November 08, 2023