The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance - a set of industry standards and best practices - for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.
Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I've begun mapping Microsoft products and architectural references to subcategories of the Identify function in the Framework. There's more to come on this as I work through the Protect, Detect, Respond, and Recover functions.
Identify function mapping
About the mapping
In the tables below, I've mapped Microsoft products and architectural references to subcategories of the Identify function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I've left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.
If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.
Asset Management (ID.AM)
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
Physical devices and systems within the organization are inventoried
Software platforms and applications within the organization are inventoried
Organizational communication and data flows are mapped
External information systems are catalogued
Resources such as hardware, devices, data, and software are prioritized based on their classification, criticality, and business value
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders such as suppliers, customers, and partners are established
Business Environment (ID.BE)
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
The organization’s role in the supply chain is identified and communicated
The organization’s place in critical infrastructure and its industry sector is identified and communicated
Priorities for organizational mission, objectives, and activities are established and communicated
Dependencies and critical functions for delivery of critical services are established
Resilience requirements to support delivery of critical services are established
The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
Organizational information security policy is established
Information security roles and responsibilities are coordinated and aligned with internal roles and external partners
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
Governance and risk management processes address cybersecurity risks
Risk Assessment (ID.RA)
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
Asset vulnerabilities are identified and documented
Threat and vulnerability information is received from information sharing forums and sources
Threats, both internal and external, are identified and documented
Potential business impacts and likelihoods are identified
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
Risk responses are identified and prioritized
Risk Management Strategy (ID.RM)
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
Risk management processes are established, managed, and agreed to by organizational stakeholders
Organizational risk tolerance is determined and clearly expressed
The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis