An overlay offers organizations additional customization options for control baselines and may be a fully specified set of controls, control enhancements, and other supporting information (e.g., parameter values) derived from the application of tailoring guidance to SP 800-53B control baselines, or derived independently of control baselines. Overlays also provide an opportunity to build consensus across communities of interest and develop a starting point of controls that have broad-based support for very specific circumstances, situations, and/or conditions.
NIST Special Publication SP 800-53B, Control Baselines for Information Systems and Organizations, Appendix C provides additional guidance on Overlays and Chapter 3 provides guidance on tailoring to help ensure that control implementations accurately reflect security and privacy requirements for each system, system component, and operational environment to which the overlay is applied.
Overlays are developed to apply to multiple systems within a community of interest and provide:
Any stakeholder and community of interest. Categories of overlays that may be useful include, for example:
Security and Privacy: general security & privacy, privacy, risk management, security measurement, security programs & operations
Laws and Regulations: E-Government Act, Federal Information Security Modernization Act