NIST Cybersecurity Framework: Tools and References from Microsoft - Identify Function

Article
03/14/2017

Sergey Tsygalnitsky

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance - a set of industry standards and best practices - for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I've begun mapping Microsoft products and architectural references to subcategories of the Identify function in the Framework. There's more to come on this as I work through the Protect, Detect, Respond, and Recover functions.

Learn more about the NIST Cybersecurity Framework Download the NIST Cybersecurity Framework PDF

Identify function mapping

About the mapping

In the tables below, I've mapped Microsoft products and architectural references to subcategories of the Identify function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I've left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Asset Management (ID.AM)

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

ID.AM-1Physical devices and systems within the organization are inventoried	System Center Configuration Manager Inventory – for fully managed devices Active Directory – Domain Joined Devices Azure AD Registered Devices IoT Hub – Device Identity Registry Microsoft Intune Device Inventory – for lightly managed devices
ID.AM-2Software platforms and applications within the organization are inventoried	Software Inventory with System Center Configuration Manager Microsoft Intune Device Inventory – for lightly managed devices Azure Subscription Inventory and Analysis – MSIT Showcase Windows Server 2016 – Software Inventory Logging Windows Server 2016 – Software Restriction Policies Shadow IT/SaaS App Discovery with Cloud App Security
ID.AM-3Organizational communication and data flows are mapped	Shadow IT/SaaS App Discovery with Cloud App Security Operations Management Suite (OMS) Service Maps (Systems Interconnections) Azure Network Watcher Azure Network Security Groups – ACLs Azure IoT Hub IP Filtering
ID.AM-4External information systems are catalogued	Azure AD Integrated Apps Shadow IT/SaaS App Discovery with Cloud App Security
ID.AM-5Resources such as hardware, devices, data, and software are prioritized based on their classification, criticality, and business value	Azure Information Protection – Data Classification Privileged Access Reference Material Azure AD Privileged Identity Management
ID.AM-6Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders such as suppliers, customers, and partners are established	Privileged Access Reference Material Azure AD Privileged Identity Management Just Enough Administration Just in Time Administration – Privileged Access Management

Business Environment (ID.BE)

The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

ID.BE-1The organization’s role in the supply chain is identified and communicated
ID.BE-2The organization’s place in critical infrastructure and its industry sector is identified and communicated
ID.BE-3Priorities for organizational mission, objectives, and activities are established and communicated
ID.BE-4Dependencies and critical functions for delivery of critical services are established
ID.BE-5Resilience requirements to support delivery of critical services are established	Designing Resilient Applications for Microsoft Azure

Governance (ID.GV)

The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

ID.GV-1Organizational information security policy is established
ID.GV-2Information security roles and responsibilities are coordinated and aligned with internal roles and external partners	Azure – Shared Responsibility Microsoft Incident Response and Shared Responsibility
ID.GV-3Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed	Microsoft Compliance Offerings Cloud App Security – third-party risk evaluation and known certifications Microsoft and General Data Protection Regulation (GDPR) Privacy with Microsoft
ID.GV-4Governance and risk management processes address cybersecurity risks	Microsoft Cloud Services Risk Assessment

Risk Assessment (ID.RA)

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1Asset vulnerabilities are identified and documented	Qualys Virtual Scanner Appliance in Azure Marketplace Vulnerability Assessment in Azure Security Center Office 365 Secure Score Active Directory Risk Assessment Microsoft Cloud Services Risk Assessment
ID.RA-2Threat and vulnerability information is received from information sharing forums and sources	Microsoft Security Intelligence Microsoft Operations Management Suite (OMS) Security and Compliance
ID.RA-3Threats, both internal and external, are identified and documented	Microsoft Threat Modeling Tool Microsoft Threat Management Microsoft Operations Management Suite (OMS) Security and Compliance
ID.RA-4Potential business impacts and likelihoods are identified
ID.RA-5Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6Risk responses are identified and prioritized

Risk Management Strategy (ID.RM)

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

ID.RM-1Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2Organizational risk tolerance is determined and clearly expressed
ID.RM-3The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

Microsoft security resources

Microsoft Trust Center Microsoft Cybersecurity website Microsoft Secure website