NIST Cybersecurity Framework: Tools and References from Microsoft – Respond and Recover Functions
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.
Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the framework. This is the final post in this series, addressing the Respond Function and the Recover Function.
Identify function mapping Protect function mapping Detect function mapping Learn more about the NIST Cybersecurity Framework Download the NIST Cybersecurity Framework PDF
Respond and Recover function mapping
About the mapping
In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Respond and Recover functions in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.
If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.
Respond (RS)
Response Planning (RS.RP)
Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
Communications (RS.CO)
Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
RS.CO-1 Personnel know their roles and order of operations when a response is needed |
|
RS.CO-2Events are reported consistent with established criteria |
|
RS.CO-3Information is shared consistent with response plans |
|
RS.CO-4Coordination with stakeholders occurs consistent with response plans |
|
RS.CO-5Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness |
Analysis (RS.AN)
Analysis is conducted to ensure adequate response and support recovery activities.
RS.AN-1Notifications from detection systems are investigated |
|
RS.AN-2The impact of the incident is understood |
|
RS.AN-3Forensics are performed |
|
RS.AN-4Incidents are categorized consistent with response plans |
Mitigation (RS.MI)
Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
RS.MI-1Incidents are contained |
|
RS.MI-2Incidents are mitigated |
|
RS.MI-3Newly identified vulnerabilities are mitigated or documented as accepted risks |
Improvements (RC.IM)
Recovery planning and processes are improved by incorporating lessons learned into future activities.
RS.IM-1Response plans incorporate lessons learned |
|
RS.IM-2Response strategies are updated |
Recover (RC)
Recovery Planning (RC.RP)
Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
| RC.RP-1Recovery plan is executed during or after an event |
Improvements (RC.IM)
Recovery planning and processes are improved by incorporating lessons learned into future activities.
| RC.IM-1Recovery plans incorporate lessons learned | |
| RC.IM-2Recovery strategies are updated |
Communications (RC.CO)
Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
| RC.CO-1Public relations are managed | |
| RC.CO-2Reputation after an event is repaired | |
| RC.CO-3Recovery activities are communicated to internal stakeholders and executive and management teams |
Microsoft security resources
Microsoft Trust Center Microsoft Cybersecurity website Microsoft Secure website