NIST Cybersecurity Framework: Tools and References from Microsoft - Identify Function


Sergey Tsygalnitsky

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance - a set of industry standards and best practices - for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I've begun mapping Microsoft products and architectural references to subcategories of the Identify function in the Framework. There's more to come on this as I work through the Protect, Detect, Respond, and Recover functions.

Learn more about the NIST Cybersecurity Framework

Download the NIST Cybersecurity Framework PDF

Identify function mapping

About the mapping

In the tables below, I've mapped Microsoft products and architectural references to subcategories of the Identify function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I've left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Asset Management (ID.AM)

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

ID.AM-1
Physical devices and systems within the organization are inventoried
ID.AM-2
Software platforms and applications within the organization are inventoried
ID.AM-3
Organizational communication and data flows are mapped
ID.AM-4
External information systems are catalogued
ID.AM-5
Resources such as hardware, devices, data, and software are prioritized based on their classification, criticality, and business value
ID.AM-6
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders such as suppliers, customers, and partners are established

Business Environment (ID.BE)

The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

ID.BE-1
The organization’s role in the supply chain is identified and communicated
ID.BE-2
The organization’s place in critical infrastructure and its industry sector is identified and communicated
ID.BE-3
Priorities for organizational mission, objectives, and activities are established and communicated
ID.BE-4
Dependencies and critical functions for delivery of critical services are established
ID.BE-5
Resilience requirements to support delivery of critical services are established

Governance (ID.GV)

The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

ID.GV-1
Organizational information security policy is established
ID.GV-2
Information security roles and responsibilities are coordinated and aligned with internal roles and external partners
ID.GV-3
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
ID.GV-4
Governance and risk management processes address cybersecurity risks

Risk Assessment (ID.RA)

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1
Asset vulnerabilities are identified and documented
ID.RA-2
Threat and vulnerability information is received from information sharing forums and sources
ID.RA-3
Threats, both internal and external, are identified and documented
ID.RA-4
Potential business impacts and likelihoods are identified
ID.RA-5
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6
Risk responses are identified and prioritized

Risk Management Strategy (ID.RM)

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

ID.RM-1
Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2
Organizational risk tolerance is determined and clearly expressed
ID.RM-3
The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

Microsoft security resources

Microsoft Trust Center

Microsoft Cybersecurity website

Microsoft Secure website

Comments (1)

  1. Very useful mapping. Thank you!

Skip to main content