CNSSI 1253 Overlays. Mission-Specific Controls for National Security.

CNSSI 1253 provides the baseline security categorization and control selection methodology for National Security Systems (NSS) as defined by the Committee on National Security Systems (CNSS). The base framework selects controls from the NIST 800-53 rev5 catalog based on the confidentiality, integrity, and availability impact levels of the information processed by the system. NSS operate under different threat models, adversary capabilities, and consequence profiles than standard federal information systems. The controls selected by CNSSI 1253 reflect that distinction: higher baseline requirements, stricter implementation parameters, and additional controls that do not appear in standard federal baselines. Overlays extend this base by modifying the control selection for specific operational contexts where the standard CNSSI 1253 baseline is either insufficient or requires adjustment. Each overlay is published by the CNSS and carries the authority of the national security governance structure that oversees NSS protection requirements.

The overlay mechanism operates through three operations: ADD, MODIFY, and REMOVE. An ADD operation introduces controls or control enhancements that the base CNSSI 1253 selection does not include, because the specific operational context demands protections beyond the baseline. A MODIFY operation changes the implementation parameters of a control that already exists in the baseline: stricter frequency requirements, additional implementation guidance, or expanded scope. A REMOVE operation eliminates controls that are not applicable to the specific operational context, typically because the physical or logical characteristics of the environment make the control irrelevant or technically infeasible. These operations are deterministic. Each overlay publishes its complete list of ADD, MODIFY, and REMOVE directives, and the resulting control set can be computed mechanically from the base plus the overlay operations.

Five primary overlays cover the major operational domains within NSS: Classified Systems for environments processing classified national security information at various classification levels; Cross Domain Solutions for systems that transfer information between different security classification levels or security domains; Intelligence Systems for platforms operating under Intelligence Community directives with requirements that extend beyond standard classified processing; Space Platform for satellite systems, ground stations, and space vehicle communications with unique physical and environmental constraints; and Industrial Control Systems (ICS) for SCADA, distributed control systems, and operational technology networks where availability and safety take precedence over traditional confidentiality priorities. Each overlay addresses a distinct threat profile and operational reality. Organizations operating NSS must identify which overlays apply to their systems and compose the resulting control set for authorization.

CNSSI 1253 overlays stack on the CNSSI 1253 base framework, which itself selects controls from the NIST 800-53 rev5 catalog. The layering is structural: NIST 800-53 provides the comprehensive control catalog; CNSSI 1253 selects the subset appropriate for National Security Systems based on impact categorization; overlays then modify that subset for specific operational contexts. Each layer is traceable. Every control in the final composed set can be traced backward through the overlay that added or modified it, through the CNSSI 1253 base selection, and ultimately to the specific NIST 800-53 control definition. This traceability is not optional for NSS authorization. The Authorizing Official must understand why each control is present, which authority required it, and what evidence demonstrates its implementation. The overlay mechanism provides that provenance at every layer of the stack.

When multiple overlays apply to the same system, their operations must be composed with conflict resolution. A classified intelligence system operating on a space platform requires three overlays simultaneously: Classified Systems, Intelligence Systems, and Space Platform. Each overlay independently specifies ADD, MODIFY, and REMOVE operations against the base. Conflicts arise when overlays disagree: one overlay may ADD a control enhancement while another REMOVEs the parent control, or two overlays may MODIFY the same control with different implementation parameters. Rampart resolves these conflicts through a deterministic precedence model. ADD operations from any overlay are always honored unless explicitly contradicted by a higher-precedence directive. MODIFY operations apply cumulatively, with the most restrictive parameter taking precedence when overlays specify different values for the same parameter. REMOVE operations require unanimous agreement across all applicable overlays; if any overlay requires a control, it remains in the composed set regardless of REMOVE directives from other overlays.

The composed control set becomes the authoritative requirement baseline for the system's authorization package. Rampart displays the full composition: every control in the final set, annotated with its origin (base selection, overlay ADD, overlay MODIFY), any conflict resolution decisions, and the resulting implementation parameters. When the CNSS publishes overlay updates, Rampart re-composes the control set and identifies delta impacts: new controls added, existing controls with modified parameters, controls removed, and any new conflicts introduced by the update. Sentinel evaluates the posture impact of each delta: which new controls lack implementation evidence, which modified controls require updated evidence collection, and which removed controls can release monitoring resources. The composition is not a one-time exercise performed during initial authorization. It is a maintained computation that updates as overlays evolve and the system's operational context changes.

The Classified Systems overlay applies to any NSS that processes, stores, or transmits information classified under Executive Order 13526 at the Confidential, Secret, or Top Secret level. Classified information carries specific handling requirements that extend well beyond what standard CNSSI 1253 baselines address. The overlay adds controls for physical security of processing facilities, including requirements for secure rooms, access control vestibules, intrusion detection systems, and emanations security (TEMPEST) countermeasures. Personnel security controls require verified clearance levels matching the highest classification level processed, access approval documentation, need-to-know determinations for each individual with system access, and continuous evaluation monitoring for personnel with classified access. Secure communications controls mandate encryption certified to NSA standards for all classified data in transit, with specific cryptographic module requirements that vary by classification level.

Physical security requirements in the Classified Systems overlay are among the most prescriptive of any CNSSI 1253 modification. Facilities must meet the standards defined in ICD 705 (for Sensitive Compartmented Information Facilities) or DoD Manual 5200.01 (for general classified processing). These standards specify construction materials, sound attenuation levels, visual access restrictions, alarm systems, guard force requirements, and visitor escort procedures. The overlay ADDs physical security controls that the base CNSSI 1253 selection either omits or specifies at lower implementation rigor. It also MODIFYs existing physical protection controls to require specific certification of the processing facility before the system receives its authorization to operate. Evidence for these controls includes facility accreditation documentation, physical security inspection reports, personnel clearance verification records, access rosters with clearance level annotations, and continuous evaluation enrollment confirmation for all cleared personnel.

Evidence collection in classified environments presents unique constraints. Many classified systems operate on air-gapped networks with no connectivity to external collection infrastructure. Sentinel supports disconnected evidence collection through exportable collection agents that operate within the classified enclave, gather configuration data and security event logs, and produce encrypted evidence packages for transfer through approved cross-domain transfer mechanisms. The evidence packages include cryptographic integrity verification so that artifacts collected within the classified environment can be validated after transfer without re-accessing the classified network. Rampart ingests these packages and maps the evidence to the composed control set, including all Classified Systems overlay additions and modifications. For classified systems with approved connectivity to collection infrastructure, Sentinel operates in real time with the same continuous monitoring capabilities available on unclassified systems, subject to the network security requirements imposed by the classification level.

Cross Domain Solutions (CDS) are systems specifically designed to transfer information between different security classification levels or security domains while enforcing the security policies of each domain. A CDS might connect a Secret network to an Unclassified network, transferring sanitized intelligence products downward while preventing classified spillage upward. It might connect two Top Secret networks with different compartmented access requirements, ensuring that information flows only to recipients authorized for the specific compartments contained in the transferred data. The Cross Domain Solutions overlay is the most stringent of all CNSSI 1253 overlays because the consequences of failure are categorical: unauthorized disclosure of classified information to lower classification domains, or contamination of a higher classification domain with unverified data from a lower domain. Every additional control in this overlay exists to prevent those outcomes.

The overlay ADDs extensive controls for content inspection, data guard functionality, and sanitization requirements. Content inspection controls mandate that every data transfer through the CDS undergoes automated inspection against security policy rules: classification marking verification, dirty word searches, format validation, embedded content extraction and inspection, and metadata scrubbing. Data guard controls require human review for transfers that automated inspection cannot definitively clear, with specific requirements for reviewer training, dual-review for high-sensitivity transfers, and audit trails that capture every review decision with the reviewer's identity and justification. Sanitization requirements ensure that transferred data contains no residual classified content in metadata, embedded objects, revision history, or hidden formatting. These controls operate in addition to the full Classified Systems overlay, because every CDS by definition processes classified information. The control set is cumulative: base CNSSI 1253, plus Classified Systems overlay, plus Cross Domain Solutions overlay.

Rampart composes the Cross Domain Solutions overlay with the Classified Systems overlay automatically when both apply to a system. The composed control set includes every control from both overlays, with conflict resolution applied where their directives interact. Rampart tracks each control's provenance: whether it originates from the base selection, the Classified Systems ADD directives, or the Cross Domain Solutions ADD directives. This provenance is critical during authorization because the Authorizing Official must understand the full requirement chain and verify that implementation satisfies the specific overlay that introduced each control. Sentinel monitors cross-domain transfer logs, content inspection results, and guard decision records as evidence sources specific to the CDS overlay. Every transfer event, inspection outcome, and reviewer decision becomes an immutable evidence record mapped to the specific controls it satisfies. The evidence chain demonstrates not just that the controls exist, but that they operate continuously across every data transfer the CDS processes.

The Intelligence Systems overlay addresses security requirements specific to systems operating within the Intelligence Community (IC). These systems process intelligence information subject to authorities and directives issued by the Office of the Director of National Intelligence (ODNI), including Intelligence Community Directives (ICDs), Intelligence Community Standards (ICSs), and Intelligence Community Policy Guidance (ICPGs). IC systems face adversary threat models that assume nation-state capabilities: persistent access attempts, insider threat vectors, supply chain compromise, and sophisticated signals intelligence collection against emanations and communications. The Intelligence Systems overlay reflects these threat assumptions by adding controls that harden the system against advanced persistent threats, enforce compartmented access models, and implement monitoring capabilities calibrated to detect the tactics and techniques of state-sponsored adversaries.

IC-specific requirements extend the Classified Systems overlay in several critical areas. Compartmented access controls enforce Sensitive Compartmented Information (SCI) handling requirements defined in ICD 503 and its successor directives. Access decisions are not binary (cleared or not cleared) but granular: each user's access is limited to the specific compartments, subcompartments, and special access programs for which they hold authorization. The overlay ADDs controls for compartment-level access enforcement, compartment boundary monitoring, and audit of access attempts across compartment boundaries. Special handling procedures add requirements for specific intelligence disciplines (HUMINT, SIGINT, IMINT, MASINT) that carry additional protection requirements beyond the base classification level. The overlay MODIFYs audit and accountability controls to require intelligence-specific event logging: not just who accessed what, but the intelligence discipline, compartment context, and mission justification for each access event.

The Intelligence Systems overlay extends the base CNSSI 1253 framework through both structural additions and parameter modifications. Rampart maps IC-specific directives (ICD 503 for security, ICD 705 for facility standards, ICD 501 for discovery and dissemination) to the NIST 800-53 controls they augment, maintaining traceability from intelligence directives through the overlay to the base control catalog. Artificer generates implementation narratives that reference the specific IC directives each control satisfies, providing authorization packages that speak the language of IC authorizing officials. Evidence requirements for intelligence systems often include classification management records, compartmented access approvals, security violation reports with corrective actions, and periodic security review documentation. Sentinel collects these evidence types from connected IC infrastructure where connectivity permits, and supports the same disconnected collection workflow used for classified environments when air-gapped operation is required.

The Space Platform overlay addresses security requirements for satellite systems, ground stations, and space vehicle communications that operate under physical and environmental constraints fundamentally different from terrestrial IT systems. A satellite in orbit cannot be physically accessed for maintenance, patching, or incident response. Ground-to-space communication links operate over constrained bandwidth with significant latency, limiting the frequency and volume of security monitoring data that can be transmitted. Space vehicles have fixed computational resources that cannot be upgraded after launch, constraining the complexity of security controls that can execute on the platform itself. The overlay REMOVEs controls that assume physical accessibility (certain physical protection controls that cannot apply to orbital hardware) and ADDs controls for link security (encryption and authentication of all ground-to-space and space-to-ground communications), ground station hardening (physical and logical security of the terrestrial endpoints that command and control space vehicles), and mission assurance (availability and integrity controls that ensure the space vehicle continues operating even under adversary interference).

The Industrial Control Systems (ICS) overlay addresses SCADA systems, distributed control systems, programmable logic controllers, and operational technology (OT) networks where the priority hierarchy differs from traditional IT. In standard information systems, confidentiality typically receives the highest priority. In ICS environments, availability and safety take precedence. A control system managing a power grid, water treatment facility, or weapons system cannot tolerate the downtime that routine IT security practices assume: rebooting for patches, taking systems offline for scanning, or implementing access controls that could delay emergency operator actions. The ICS overlay MODIFYs controls to account for these constraints. Patch management controls are modified to require testing in replica environments before deployment to production control systems. Access controls are modified to allow emergency bypass procedures with post-event audit rather than blocking access during time-critical operations. Continuous monitoring controls are modified to use passive network monitoring rather than active scanning that could disrupt control system operations.

Both overlays share a common challenge: the security controls must account for operational environments where standard IT assumptions do not hold. Rampart tracks the specific REMOVE and MODIFY operations each overlay applies, ensuring that assessors understand why certain base controls are absent or modified in the composed control set. Every REMOVE operation includes the justification published by the CNSS, and every MODIFY operation displays both the original control parameters and the overlay-modified parameters side by side. Sentinel adapts its evidence collection strategy for each operational domain. For space platforms, Sentinel collects evidence from ground station infrastructure and ingests telemetry data transmitted from the space vehicle during scheduled communication windows. For ICS environments, Sentinel uses passive monitoring to collect network traffic evidence, configuration baselines from engineering workstations, and operational event logs from historian servers, without introducing active probes that could disrupt control system operations. Vanguard scanning configurations for ICS environments enforce passive-only scan profiles that gather security posture data without sending packets to control system networks.

Evidence collection for CNSSI 1253 overlays spans a broader range of artifact types than standard framework assessments. Each overlay in the composed control set requires specific evidence to demonstrate control implementation: configuration snapshots from classified systems, security event logs from accredited networks, access control records tied to clearance levels, physical security inspection reports for SCIFs and secure areas, personnel clearance verifications with current status, network traffic captures from monitored segments, and operational process documentation with approval chains. Evidence collection frequency must adapt to each control's monitoring requirements. Controls with continuous monitoring mandates produce evidence streams in real time. Controls with periodic assessment requirements produce evidence on the schedule specified by the overlay's MODIFY directives. Controls that require human attestation, such as annual reviews, management authorizations, and personnel re-certifications, need collection workflows that route to the responsible party and escalate if the response deadline approaches without completion.

The challenge of scanning for CNSSI 1253 overlay compliance is that each overlay introduces controls requiring highly specialized technical validation, and the tooling must adapt to each operational domain. The Classified Systems overlay requires verification of NSA-certified encryption implementations, which demands scan profiles that understand Suite A and Suite B algorithm requirements. The Cross Domain Solutions overlay requires validation of content inspection rule sets and data guard configurations across multiple security domains. The Intelligence Systems overlay requires verification of compartmented access enforcement mechanisms that standard access control scanners do not evaluate. The Space Platform overlay requires validation of link encryption parameters and ground station security configurations with latency and availability constraints. The ICS overlay requires verification of passive monitoring deployment and emergency bypass audit configurations in environments where active scanning poses safety risks. Each overlay demands distinct scan profiles, and results must map directly to the specific overlay controls they validate with per-control evidence, timestamps, and integrity hashes.

Classified network considerations impose constraints on evidence collection architecture. Systems operating on classified networks may prohibit outbound data transfer to unclassified collection infrastructure. Sentinel supports three deployment models for classified environments. The connected model operates on classified collection infrastructure within the same security domain as the monitored system, with evidence stored and accessed entirely within the classified environment. The disconnected model uses exportable collection agents that operate within the classified enclave and produce encrypted evidence packages for approved cross-domain transfer. The hybrid model collects unclassified evidence (network configurations, patch levels, access control lists) through connected infrastructure while classified evidence (security event context, classification management records, compartmented access logs) remains within the classified domain. Rampart reconciles evidence from multiple collection models, mapping artifacts from each source to the controls they satisfy regardless of the collection pathway.

The derivation chain from CNSSI 1253 overlays to NIST 800-53 is deterministic and fully traceable. NIST 800-53 rev5 provides the comprehensive catalog of security and privacy controls for federal information systems and organizations. CNSSI 1253 selects controls from that catalog specifically for National Security Systems, applying categorization criteria defined by CNSS rather than the FIPS 199/200 categorization used for standard federal systems. The CNSSI 1253 base selection is more restrictive than the corresponding NIST 800-53 Moderate or High baselines because NSS face threat environments that assume nation-state adversary capabilities. Each overlay then modifies that already-elevated baseline for specific operational contexts. The chain runs: CNSSI 1253 overlay directives (ADD/MODIFY/REMOVE) applied to the CNSSI 1253 base selection, which itself draws from NIST 800-53 rev5. Every control in the final composed set traces back through this chain to its authoritative source.

Cross-walk examples illustrate how this derivation chain operates at the individual control level. NIST 800-53 control AC-2 (Account Management) appears in the CNSSI 1253 base selection with NSS-specific implementation parameters. The Classified Systems overlay MODIFYs AC-2 to require clearance verification as a prerequisite for account provisioning. The Intelligence Systems overlay further MODIFYs AC-2 to require compartment-level access validation and SCI indoctrination confirmation. The Cross Domain Solutions overlay ADDs AC-2 enhancements requiring separate account management for each security domain the CDS bridges. NIST 800-53 control SC-13 (Cryptographic Protection) appears in the base with NSS requirements for CNSA Suite algorithms. The Space Platform overlay MODIFYs SC-13 to specify link encryption standards for ground-to-space communications. The ICS overlay MODIFYs SC-13 to allow operational technology protocols that cannot support standard cryptographic implementations, with compensating controls documented.

Work completed for any CNSSI 1253 overlay advances posture across the entire NIST 800-53 derivation chain. Every control satisfied for a classified intelligence system also satisfies the corresponding NIST 800-53 control at or above the implementation rigor required by other frameworks that derive from the same catalog. Rampart computes this cross-framework leverage automatically. An organization operating an NSS with the Classified Systems and Intelligence Systems overlays has already implemented controls at a rigor level that exceeds FedRAMP High, CMMC Level 3, and most commercial framework requirements for the corresponding control families. Rampart displays this leverage: for each control in the composed CNSSI 1253 overlay set, the platform shows which other frameworks reference the same underlying NIST 800-53 control and at what implementation rigor. The investment in NSS overlay compliance compounds across the organization's entire framework portfolio. Citadel surfaces this cross-framework posture in the aggregated dashboard, showing readiness percentages for every active framework computed from the shared evidence base.