NIST Cybersecurity Framework: Tools and References from Microsoft – Respond and Recover Functions


Sergey Tsygalnitsky

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the framework. This is the final post in this series, addressing the Respond Function and the Recover Function.

Identify function mapping

Protect function mapping

Detect function mapping

Learn more about the NIST Cybersecurity Framework

Download the NIST Cybersecurity Framework PDF

Respond and Recover function mapping

About the mapping

In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Respond and Recover functions in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Respond (RS)

Response Planning (RS.RP)

Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.

RS.RP-1

Response plan is executed during or after an event

Communications (RS.CO)

Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.

RS.CO-1

Personnel know their roles and order of operations when a response is needed

RS.CO-2
Events are reported consistent with established criteria

RS.CO-3
Information is shared consistent with response plans

RS.CO-4
Coordination with stakeholders occurs consistent with response plans

RS.CO-5
Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

Analysis (RS.AN)

Analysis is conducted to ensure adequate response and support recovery activities.

RS.AN-1
Notifications from detection systems are investigated

RS.AN-2
The impact of the incident is understood

RS.AN-3
Forensics are performed

RS.AN-4
Incidents are categorized consistent with response plans

Mitigation (RS.MI)

Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.

RS.MI-1
Incidents are contained

RS.MI-2
Incidents are mitigated

RS.MI-3
Newly identified vulnerabilities are mitigated or documented as accepted risks

Improvements (RC.IM)

Recovery planning and processes are improved by incorporating lessons learned into future activities.

RS.IM-1
Response plans incorporate lessons learned

RS.IM-2
Response strategies are updated

Recover (RC)

Recovery Planning (RC.RP)

Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.

RC.RP-1
Recovery plan is executed during or after an event

Improvements (RC.IM)

Recovery planning and processes are improved by incorporating lessons learned into future activities.

RC.IM-1
Recovery plans incorporate lessons learned
RC.IM-2
Recovery strategies are updated

Communications (RC.CO)

Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

RC.CO-1
Public relations are managed
RC.CO-2
Reputation after an event is repaired
RC.CO-3
Recovery activities are communicated to internal stakeholders and executive and management teams

Microsoft security resources

Microsoft Trust Center

Microsoft Cybersecurity website

Microsoft Secure website

Comments (0)

Skip to main content