NIST works with the Framework community to create and maintain a catalog of Informative References (References). References are citations of detailed cybersecurity documents to any combination of Functions, Categories, and Subcategories within the Framework. References demonstrate how a given cybersecurity document can be used in coordination with the Framework for the purposes of cybersecurity risk management.
Historically, References only appeared in the Framework document. To maintain the readability of the document, only a small number of Reference Documents were listed. With the release of Version 1.1 of the Framework document, References appear both in the Framework document and in an online format. The online format provides the entire Framework community an opportunity to create a more comprehensive catalog of cybersecurity methodologies, unified through the structure of the Framework.
The online References catalog uses a federated model, where submitting parties develop and host their respective References. NIST released NISTIR 8204, Cybersecurity Framework Online Informative References (OLIR) which provides guidance to Informative Reference developers for completing and submitting References NIST analyzes the submitted References for correctness, works with submitters regarding any necessary corrections, and hosts links to the public draft and final versions of the References. The catalog of References includes links to draft content (while it is being evaluated for public comment) and final versions. Draft content is not retained once a document is declared final.
Have a question? Please go to the Informative References FAQs page to see if it has already been answered.
Disclaimer: References are linked to by NIST for information purposes only and do not constitute an endorsement by NIST of the submitted content.
How to Submit
Do you want to submit a Reference for consideration? Please follow these instructions.