Computer Security Resource Center

Computer Security Resource Center

This is an archive
(replace .gov by .rip)
    Projects FISMA Implementation Project NIST Security Control Overlay Repository

FISMA Implementation Project FISMA

Overlay Overview

An overlay is a fully-specified set of controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance to control baselines.  For more information about Control Overlays, NIST Special Publication NIST SP 800-53 Rev 4., Section 3.3 Creating Overlays, and Appendix I, Overlay Template.

Overlays complement the SP 800-53 security control baseline by:

  • Providing the opportunity to add or eliminate controls;

  • Providing security control applicability and interpretations for specific information technologies, computing paradigms, environments of operation, types of information systems, types of missions/operations, operating modes, industry sectors, and statutory/regulatory requirements;

  • Establishing community-wide parameter values for assignment and/or selection statements in security controls and control enhancements; and
  • Extending the supplemental guidance for security controls, where necessary. 

Overlays can be developed for each information technology area or for unique circumstances/environments, for example, cloud-based systems, industrial control systems, High Value Assets, or systems controlling safety-thus achieving standardized security capabilities, consistency of implementation, and cost-effective security solutions.

Overlays also provide an opportunity to build consensus across communities of interest and develop security plans for organizational information systems that have broad-based support for very specific circumstances, situations, and/or conditions.

Categories of overlays that may be useful include, for example:

  • Communities of interest, industry sectors, or coalitions/partnerships (e.g., systems engineers, software developers, mission/business owners, healthcare, financial, transportation, energy);
  • Information technologies/computing paradigms (e.g., cloud/mobile, PKI, Smart Grid);
  • Environments of operation (e.g., space, tactical, sea);
  • Types of information systems and operating modes (e.g., industrial/process control systems, weapons systems, single-user systems, standalone systems, IoT devices, sensors);
  • Types of missions/operations (e.g., counterterrorism, first responders, research, development, test, and evaluation); and
  • Statutory/regulatory requirements (e.g., Foreign Intelligence Surveillance Act, Health Insurance Portability and Accountability Act, Privacy Act, FISMA).

Return to Security Control Overlay Repository Main Page

Contacts

Ron Ross
ron.ross@nist.gov

Victoria Yan Pillitteri
victoria.yan@nist.gov

Kelley Dempsey
kelley.dempsey@nist.gov

Eduardo Takamura
eduardo.takamura@nist.gov

Jeff Brewer
jeffrey.brewer@nist.gov

Jody Jacobs
jody.jacobs@nist.gov

Ned Goren
nedim.goren@nist.gov

Topics

Security and Privacy: risk management

Laws and Regulations: E-Government Act, Federal Information Security Modernization Act

Created November 30, 2016, Updated December 03, 2020