Informative References show relationships between any number and combination of organizational concepts (e.g., Functions, Categories, Subcategories, Controls, Control Enhancements) of the Focal Document and specific sections, sentences, or phrases of Reference Documents. The discrete concepts of the Focal Document are called Focal Document elements, and the specific sections, sentences, or phrases of the Reference Document are called Reference Document elements.

The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their cybersecurity, privacy, and workforce documents and elements of other cybersecurity, privacy, and workforce documents like the Cybersecurity Framework Version 1.1, the Privacy Framework Version 1.0 & SP800-53 Revision 4. 

At this stage of the OLIR Program evolution, the initial focus has been on relationships to cybersecurity and privacy documents. The OLIRs are in a simple standard format defined by NISTIR 8278A (Formerly NISTIR 8204), National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers [csrc.nist.rip] and they are searchable in a centralized repository. By following this approach, practitioners can use the OLIR Program as a mechanism for communicating with owners and users of other cybersecurity and privacy documents. You can find the catalog at: https://csrc.nist.rip/projects/olir/informative-reference-catalog [csrc.nist.rip].

Refer to NIST Interagency or Internal Reports (IRs)  NISTIR 8278 [csrc.nist.rip] and NISTIR 8278A [csrc.nist.rip] which detail the OLIR program. The NISTIR 8278 [csrc.nist.rip] focuses on the OLIR program overview and uses while the NISTIR 8278A [csrc.nist.rip] provides submission guidance for OLIR developers.

The NIST OLIR program welcomes a submission mapping of the Cybersecurity Maturity Model Certification (CMMC) to the Cybersecurity Framework, Privacy Framework, or NIST SP 800-53 Rev. 4 focal documents as an OLIR submission. If you or your organization are interested in contributing to the OLIR repository, NIST is happy to aid in this process.

Historically, Informative References appear in many NIST documents. A subset of related Informative References were published in those documents to maintain readability. The OLIR program scales to accommodate a greater number of Informative References and provides a more agile support model to account for the varying update cycles of all Reference documents. The OLIR program allows for the cybersecurity and privacy community to keep information current on relationship assertions from Informative References to cybersecurity and privacy documents. The OLIR program also provides a more robust method to clearly define those relationship assertions.

NIST welcomes feedback to olir@nist.gov.

A Reference Document is a cybersecurity or privacy document that is being related to a focal document (e.g., Cybersecurity Framework version 1.1, Privacy Framework version 1.0, and NIST SP 800-53 Rev. 4). An Informative Reference is a separate work product that shows multiple relationship assertions between specific Reference document elements and focal document elements.

Yes. Once the submitting organization has refined the Informative Reference to NIST’s specifications and submitted it for public review, it becomes publicly available through a link on the OLIR Informative Reference Catalog and is hosted on the Internet by the submitting organization.

Anyone can author and submit Informative References. The NIST process for accepting, vetting, and linking to these stakeholder submissions is described in NISTIR 8278A (Formerly NISTIR 8204), National Online Informative References (OLIR) Program: Submission Guidance for OLIR developers. Questions and draft Informative Reference documents may be directed to olir@nist.gov.

The OLIR site is meant to be a community catalog. However, the Informative References themselves come with no guarantees or endorsements from NIST. Therefore, it is incumbent on the consumer of Informative References to do their due diligence when making business/security decisions for implementation. The implementing party may give preference to a particular Informative Reference that is authored by the same organization that authored the Reference Document (a.k.a. an “authoritative” Reference).

Please provide feedback regarding anything related to an Informative Reference to olir@nist.gov.

Users often need to compare two cybersecurity or privacy documents for a variety of reasons, such as demonstrating where the documents’ cybersecurity controls are similar and where gaps exist. The Derived Relationship Mapping (DRM) Analysis Tool provides users with a convenient way to quickly view how one document may relate to another by leveraging the Focal Document. When a User compares the relationships from different Reference Documents and infers additional relationships among them, those inferred—derived—relationships are non-authoritative. The DRM Analysis tool provides users with the ability to leverage expert assertions from Subject Matter Experts (SMEs) and represents a starting point when attempting to compare Reference Documents.

Another popular use case involves conducting a gap analysis between documents. An analyst could leverage the DRM Analysis Tool to identify significant changes between two versions of the same document. An analyst could also use the tool to identify the gaps that would need to be addressed if their organization adopted a new security framework by generating reports comparing the Reference Documents they already comply with to the Reference Document for the new security framework.

The status field is used to indicate the level of completion an OLIR is currently in. The following is a description of each stage of completion and what each stage represents:
 

A work-in-progress draft indicates that the document is currently under development. This draft is not yet complete, and organizations should not attempt to implement it. The content is an early stage of development, rough, incomplete and experimental. It has not been extensively edited or vetted. This provides an insider view of the development of the content and gives NIST an opportunity to share early thoughts, ideas, and approaches with the community. NIST welcomes the early informal feedback and comments, which will be adjudicated after the specified public comment period.

There will be one or more versions of the content before it is graduated to a preliminary draft status.
 

After the comments of a work-in-progress draft have been collected and adjudicated, a preliminary draft is produced. It is more cohesive and is composed of a complete logical grouping of sections or a volume. The content is considered to be stable, but changes are expected to occur. There are gaps in the content and the overall document is still incomplete. NIST welcomes early informal feedback and comments, which will be adjudicated after the specified public comment period. Organizations may consider experimenting with guidelines, with the understanding that they will identify gaps and challenges.

There will be one more version of the content before it is graduated to a draft status.
 

The draft document represents a complete guideline. The language is normalized and is consistent throughout the document. It includes addressing the adjudicated comments that were received during the previous public review cycles. The content represents a complete draft that is released for public comment as part of the NIST official review process in support of an open and transparent process for developing guidelines and standards for a specified period of time. Early adopters may attempt to implement the guidelines in a test or development environment. The content will continue to be hosted on csrc.nist.rip or nccoe.nist.gov, and it will be labeled as “draft”.

In some cases, after receiving comments on a first draft, it may be determined necessary to update it and release a second (or even third) draft for public comment. In situations where—prior to the first draft’s release—the authors plan to release multiple drafts, a document’s first draft may be identified as the initial public draft (ipd), and the last draft to solicit public comments may be identified as the final public draft (fpd).
 

Once the comments that were received during the official public comment period have been adjudicated, a final version is prepared. It then goes through the NIST internal editorial review process and is published by the NIST Information Services Office. Relevant content will continue to be linked from or hosted on csrc.nist.rip or nccoe.nist.gov, as appropriate.

OLIR - the National Online Informative References Program - is a NIST program to facilitate subject matter experts (SMEs) in defining relationship assertions between specific Reference Document elements and Focal Document elements. OSCAL - the Open Security Controls Assessment Language - is a set of formats (expressed in XML, JSON, and YAML) to provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results.

Please follow these instructions