This is a potential security issue, you are being redirected to https://csrc.nist.gov
The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their cybersecurity, privacy, and workforce documents and elements of other cybersecurity, privacy, and workforce documents like the Cybersecurity Framework Version 1.1, the Privacy Framework Version 1.0 & SP800-53 Revision 4.
At this stage of the OLIR Program evolution, the initial focus has been on relationships to cybersecurity and privacy documents. The OLIRs are in a simple standard format defined by NISTIR 8278A (Formerly NISTIR 8204), National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers [csrc.nist.gov] and they are searchable in a centralized repository. By following this approach, practitioners can use the OLIR Program as a mechanism for communicating with owners and users of other cybersecurity and privacy documents. You can find the catalog at: https://csrc.nist.gov/Projects/Cybersecurity-Framework/Informative-Reference-Catalog [csrc.nist.gov].
Refer to NIST Interagency or Internal Reports (IRs) NISTIR 8278 [csrc.nist.gov] (draft) and NISTIR 8278A [csrc.nist.gov] (draft) which detail the OLIR program. The NISTIR 8278 [csrc.nist.gov] (draft) focuses on the OLIR program overview and uses while the NISTIR 8278A [csrc.nist.gov] (draft) provides submission guidance for OLIR developers.
The NIST OLIR program welcomes a submission mapping of the Cybersecurity Maturity Model Certification (CMMC) to the Cybersecurity Framework, Privacy Framework, or NIST SP 800-53 Rev. 4 focal documents as an OLIR submission. If you or your organization are interested in contributing to the OLIR repository, NIST is happy to aid in this process.
NIST welcomes feedback to firstname.lastname@example.org.
A Reference Document is a cybersecurity or privacy document that is being related to a focal document (e.g., Cybersecurity Framework version 1.1, Privacy Framework version 1.0, and NIST SP 800-53 Rev. 4). An Informative Reference is a separate work product that shows multiple relationship assertions between specific Reference document elements and focal document elements.
Yes. Once the submitting organization has refined the Informative Reference to NIST’s specifications and submitted it for public review, it becomes publicly available through a link on the OLIR Informative Reference Catalog and is hosted on the Internet by the submitting organization.
The OLIR site is meant to be a community catalog. However, the Informative References themselves come with no guarantees or endorsements from NIST. Therefore, it is incumbent on the consumer of Informative References to do their due diligence when making business/security decisions for implementation. The implementing party may give preference to a particular Informative Reference that is authored by the same organization that authored the Reference Document (a.k.a. an “authoritative” Reference).
Please provide feedback regarding anything related to an Informative Reference to email@example.com.
Users often need to compare two cybersecurity or privacy documents for a variety of reasons, such as demonstrating where the documents’ cybersecurity controls are similar and where gaps exist. The Derived Relationship Mapping (DRM) Analysis Tool provides users with a convenient way to quickly view how one document may relate to another by leveraging the Focal Document. When a User compares the relationships from different Reference Documents and infers additional relationships among them, those inferred—derived—relationships are non-authoritative. The DRM Analysis tool provides users with the ability to leverage expert assertions from Subject Matter Experts (SMEs) and represents a starting point when attempting to compare Reference Documents.
Another popular use case involves conducting a gap analysis between documents. An analyst could leverage the DRM Analysis Tool to identify significant changes between two versions of the same document. An analyst could also use the tool to identify the gaps that would need to be addressed if their organization adopted a new security framework by generating reports comparing the Reference Documents they already comply with to the Reference Document for the new security framework.