overlays

In cybersecurity and compliance frameworks, overlays are structured sets of refinements that tailor a standard control baseline to the needs of a specific environment, sector, mission, or technology stack.

Overlays most commonly appear in the context of NIST SP 800-53 and related publications. A baseline (for example, a moderate-impact security baseline) defines a default set of controls. An overlay then adjusts that baseline by adding, removing, or modifying control requirements so they are more appropriate for a particular use case, such as a type of system, organization, or regulatory context.

What overlays include

Overlays typically document, in a consistent format:

• Scope and assumptions about the environment or system they apply to
• Control selections, such as which baseline controls are used as-is, which are excluded, and which are added
• Control refinements, such as tightened parameters, additional implementation detail, or sector-specific constraints
• Rationale for the tailoring decisions where required by the framework or organization

In industrial and manufacturing environments, overlays can be used to adapt generic security or compliance baselines to operational technology (OT), MES, ERP integrations, plant-floor networks, or specific regulated product lines, while still remaining traceable to a recognized standard.

How overlays are used operationally

Operationally, overlays are used to:

• Provide a repeatable, documented tailoring of baseline controls for a class of systems, such as production lines or lab environments
• Support system authorization or risk reviews by showing how standard controls were adapted
• Align multiple systems to a consistent, sector-specific control interpretation
• Inform implementation guides, configuration standards, and verification activities for IT and OT systems

Overlays are usually maintained as controlled documents and referenced during design reviews, system implementation, and periodic assessment activities.

Common confusion

Overlays are commonly confused with:

• Baselines: A baseline is the starting set of controls defined by a framework for a given impact level or category. An overlay modifies that baseline for a particular context; it is not a standalone framework.
• Implementation guides or SOPs: Overlays describe how controls are selected and tailored. They do not typically prescribe all procedural steps, work instructions, or system-specific configuration details, although they may reference those documents.

Connection to NIST SP 800-53

Within NIST SP 800-53 and related guidance, overlays are a formal mechanism for tailoring control baselines. They support consistent and documented adaptations of the core control catalog for specific communities of interest, environments, or technologies, which can include industrial control systems and other manufacturing-related OT assets.