1. Identification
date, (iii) the version of NIST Special Publication 800-53 used to create the overlay, (iv) any
other documentation used to create the overlay, and (v) identify the events that can cause the
overlay to be modified or updated.
This overlay is titled the Privacy Overlay as it identifies security control specifications required to address
privacy risks to national security systems. This is version 1.0 dated September 4, 2012.
The following documents were used to create this overlay:
National Institute of Science and Technology (NIST) Special Publication (SP) 800-53 rev3,
Recommended Security Controls for Federal Information Systems and Organizations, May 1, 2010
NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information
(PII), April 2010
Committee on National Security Systems Instruction (CNSSI) No. 1253, Version 2, March 15, 2012
The Privacy Act of 1974, as amended (Public Law (P.L.) 93-579, as codified in 5 United States Code
(USC) 552a), December 1974
The Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191, and associated
regulations at 45 Code of Federal Regulations (CFR) 160, 162, and 164 (2011), August 1996
The E-Government Act (includes the Federal Information Security Management Act, P.L. 107-347),
December 2002
Office of Management and Budget (OMB) Circular A-130, Appendix III, Transmittal Memorandum
#4, Management of Federal Information Resources, November 2000
OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the
E-Government Act of 2002, September 2003
OMB M-04-04, E-Authentication Guidance, December 2003
OMB M-06-15, Safeguarding Personally Identifiable Information, May 2006
OMB M-06-16, Protection of Sensitive Agency Information, June 2006
OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable
Information, May 2007
Federal Acquisition Regulations, 45 CFR § 24.1, Protection of Individual Privacy, 2005; 45 CFR §
164, Security and Privacy
The overlay should be evaluated for revision when OMB issues new guidance that may impact designation of
privacy or HIPAA-related security controls or if any of the following are revised:
The Privacy Act of 1974, as amended (The Privacy Act)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
E-Government Act of 2002
