Submitting organizations need to include the following characteristics in their overlay submission. NIST will be reviewing the below overlay characteristics as criteria to determine overlay applicability:
- Identification: Identify the overlay by providing: (i) a unique name for the overlay; (ii) a version number and date; (iii) the version of NIST Special Publication 800-53 used to create the overlay; (iv) author or authoring group and point of contact; (v) how long the overlay is to be in effect and any events that may trigger an update to the overlay.
- Overlay Characteristics: Describe the characteristics that define the intended use of the overlay in order to help potential users select the most appropriate overlay for their missions/business functions. This may include a description of: (i) the environment in which the system will be used; (ii) the type of information that will be processed, stored, or transmitted; (iii) the functionality within the system or the type of system; and (iv) other characteristics related to the overlay that help protect organizational missions/business functions, systems, or information from a specific set of threats.
- Applicability: Provide criteria to assist potential users of the overlay in determining whether or not the overlay applies to a particular system or environment of operation. Typical formats include, for example, a list of questions based on the description of the characteristics of the system and associated applications.
- Overlay Summary: Provide a brief summary of the significant characteristics of the overlay. This summary may include, for example: (i) the security controls and control enhancements that are affected by the overlay; (ii) an indication of which controls/enhancements are selected or not selected based on the characteristics and assumptions in the overlay, the tailoring guidance, or any organization-specific guidance; and (iii) references to applicable laws, Executive Orders, directives, instructions, regulations, policies, or standards.
- Detailed Overlay Control Specifications: Provide: (i) justification for selecting or not selecting a specific security control/control enhancement; (ii) modifications to the supplemental guidance or the addition of new supplemental guidance for the security controls and control enhancements to address the characteristics of the overlay and the environments in which the overlay is intended to operate; (iii) specific statutory and/or regulatory requirements (above and beyond FISMA) that are met by a security control or control enhancement; (iv) recommendations for compensating controls, as appropriate; and (v) guidance that extends the basic capability of the control/enhancement by specifying additional functionality, altering the strength of mechanism, or adding or limiting implementation options.
- Tailoring Considerations: Provide information on the tailoring process when determining the set of security controls applicable to the specific information system. This is especially important for overlays that are used in an environment of operation different from the one assumed by the security control baselines.
- Definitions: Provide any terms and associated definitions that are unique and relevant to the overlay. List terms and definitions in alphabetical order. If there are no unique terms or definitions for the overlay, state this in this section.
- Additional Information or Instructions: Provide any additional information or instructions relevant to the overlay not covered in the previous sections.
