An overlay is a fully-specified set of controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance to control baselines. For more information about Control Overlays, NIST Special Publication NIST SP 800-53 Rev 4., Section 3.3 Creating Overlays, and Appendix I, Overlay Template.
Overlays complement the SP 800-53 security control baseline by:
Providing the opportunity to add or eliminate controls;
Providing security control applicability and interpretations for specific information technologies, computing paradigms, environments of operation, types of information systems, types of missions/operations, operating modes, industry sectors, and statutory/regulatory requirements;
Overlays can be developed for each information technology area or for unique circumstances/environments, for example, cloud-based systems, industrial control systems, High Value Assets, or systems controlling safety-thus achieving standardized security capabilities, consistency of implementation, and cost-effective security solutions.
Overlays also provide an opportunity to build consensus across communities of interest and develop security plans for organizational information systems that have broad-based support for very specific circumstances, situations, and/or conditions.
Categories of overlays that may be useful include, for example:
Security and Privacy: risk management
Laws and Regulations: E-Government Act, Federal Information Security Modernization Act