Security Control Spotlight—Privacy Overlay

By Lon J. Berman, CISSP

According to NIST Special Publication (SP) 800-53, an overlay is a “fully specified set of security controls, control enhancements and supplemental guidance derived from the application of tailoring guidance to security control baselines”. The intent is to streamline the process of developing a security control set for specific communities of interest. The Committee on National Security Systems (CNSS) website,, is the official “repository” of overlays that are approved for use in DoD. Several overlays are published there, including ones for classified systems, space systems and intelligence systems. The one we will look at in this issue is the most recent one published, the Privacy Overlay.

The Privacy Overlay is intended for use with systems that store or process information that is subject to additional privacy protection, i.e., Personally Identifiable Information (PII) and Protected Health Information (PHI). It turns out the Privacy Overlay is actually four overlays in one. There are three separate overlays for systems processing PII, as well as an overlay for systems processing PHI. Systems containing PII will use one of the three PII overlays. In addition, the PHI overlay is used for systems that also store or process PHI.

The choice of which PII overlay to use depends on the “PII Sensitivity Level” (aka. PII confidentiality sensitivity level), which can be Low, Moderate or High. The process of determining the PII Sensitivity Level is documented in NIST Special Publication (SP) 800-122, entitled Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

The factors that must be considered include:

  • Identifiability – how easily can PII be used to identify specific individuals?
  • Quantity of PII – how many individuals are identified?
  • Data Field Sensitivity – are specific PII data items more sensitive than others?
  • Context of Use – what is the purpose of collecting, storing, processing, disclosing or disseminating PII?
  • Obligation to Protect Confidentiality – is the organization subject to laws, regulations of mandates governing the obligation to protect personal information?
  • Access to and Location of PII – what is the nature of authorized access to PII?

It is important to note the PII Confidentiality Sensitivity Level is completely separate and distinct from the RMF Confidentiality categorization level.

The PII and PHI Overlays tailor the RMF baseline in two ways:

  • By providing supplemental guidance and/or organization-defined values for various controls in the RMF baseline.
  • By adding specific controls from the “Privacy Control Catalog” in NIST SP 800 -53, Appendix J.

Control families in the Privacy Controls Catalog include:

  • Authority and Purpose (AP)
  • Accountability, Audit and Risk Management (AR)
  • Data Quality and Integrity (DI)
  • Data Minimization and Retention (DR)
  • Individual Participation and Redress (IP)
  • Security (SE)
  • Transparency (TR)
  • Use Limitation (UL)


IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.