This online learning module builds upon the introductory material presented in the Components of the Framework module and provides readers with a deeper look at Informative References and how an organization may use them.
The Informative References are a part of the Framework Core. They are more detailed technical references that are meant to provide organizations with a starting point for implementing practices to achieve the Framework's desired outcomes described in the associated Subcategory. The image below provides an example of what the Informative References look like using the Business Environment Category.
Each subcategory includes several Informative References, however, they should not be viewed as a checklist that must be completed to implement the subcategory outcome. Organizations can use some, none, or all the Informative References to inform the activities they undertake to achieve the outcome described by the Subcategory.
Through the early Requests for Information (RFIs) and Framework Workshops, NIST considered a large compendium of standards, guidance, and publications consisting of over 450 items. Ultimately, six of these were selected to become informative references included in the Framework Core due to being broad references which were widely recognized, and had a large adoption rate.
The chart below lists each Informative References included in the Core and provides a link to the associated website/document .
|NIST SP 800-53 Rev. 4||nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf|
Additional Informative References
With the release of the Cybersecurity Framework v1.1, NIST is establishing the Online Informative Reference Program. By linking to and spreading awareness of additional Informative References, organizations will have a more robust set of tools to achieve Framework Core outcomes.
Use of Informative References is non-compulsory for Framework implementation. Organizations have the flexibility to mix and match Informative References as best suits their needs. They may use all, some, none, or even choose to map additional practices not included in the Informative References catalog.
For example, a healthcare organization who organizes their existing controls around NIST 800-53 and is seeking to become ISO compliant may choose to use the ISO/IEC 27001 and the NIST 800-53 mappings included in the Framework Core along with the mapping for HITRUST from the larger Informative References catalog that applies specifically to healthcare organizations.