NIST Cybersecurity Framework: Tools and References from Microsoft – Protect Function


Sergey Tsygalnitsky

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the Framework.

This post addresses the Protect function. Read my post about the Identify function mapping, and look for posts over the next few weeks covering the Detect, Respond, and Recover functions.

Identify function mapping (Part 1)

Learn more about the NIST Cybersecurity Framework

Download the NIST Cybersecurity Framework PDF

Protect function mapping

About the mapping

In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Protect function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Access Control (PR.AC)

Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.

PR.AC-1
Identities and credentials are managed for authorized devices and users
PR.AC-2

Physical access to assets is managed and protected

PR.AC-3
Remote access is managed
PR.AC-4

Access permissions are managed, incorporating the principles of least privilege and separation of duties

PR.AC-5

Network integrity is protected, incorporating network segregation where appropriate

Awareness and Training (PR.AT)

The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.

PR.AT-1

All users are informed and trained

PR.AT-2
Privileged users understand roles and responsibilities
PR.AT-3

Third-party stakeholders such as suppliers, customers, and partners understand roles and responsibilities

PR.AT-4

Senior executives understand roles and responsibilities

PR.AT-5

Physical and information security personnel understand roles and responsibilities

Data Security (PR.DS)

Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.DS-1

Data at rest is protected

PR.DS-2

Data in transit is protected

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition

PR.DS-4

Adequate capacity to ensure availability is maintained

PR.DS-5

Protections against data leaks are implemented

PR.DS-6

Integrity checking mechanisms are used to verify software, firmware, and information integrity

PR.DS-7

The development and testing environment(s) are separate from the production environment

Information Protection Processes and Procedures (PR.IP)

Security policies (addressing purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities); processes; and procedures are maintained and used to manage protection of information systems and assets.

PR.IP-1

A baseline configuration of information technology/industrial control systems is created and maintained

PR.IP-2

A System Development Life Cycle to manage systems is implemented

PR.IP-3

Configuration change control processes are in place

PR.IP-4

Backups of information are conducted, maintained, and tested periodically

PR.IP-5

Policy and regulations regarding the physical operating environment for organizational assets are met

PR.IP-6

Data is destroyed according to policy

PR.IP-7

Protection processes are continuously improved

PR.IP-8

Effectiveness of protection technologies is shared with appropriate parties

PR.IP-9

Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

PR.IP-10

Response and recovery plans are tested

PR.IP-11

Cybersecurity is included in human resources practices (for example, deprovisioning and personnel screening)

PR.IP-12

A vulnerability management plan is developed and implemented

Maintenance (PR.MA)

Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.

PR.MA-1

Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools

PR.MA-2

Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

Protective Technology (PR.PT)

Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

PR.PT-2

Removable media is protected and its use restricted according to policy

PR.PT-3

Access to systems and assets is controlled, incorporating the principle of least functionality

PR.PT-4

Communications and control networks are protected

Microsoft security resources

Microsoft Trust Center

Microsoft Cybersecurity website

Microsoft Secure website

Comments (0)

Skip to main content