NIST Cybersecurity Framework: Tools and References from Microsoft - Identify Function
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance - a set of industry standards and best practices - for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.
Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I've begun mapping Microsoft products and architectural references to subcategories of the Identify function in the Framework. There's more to come on this as I work through the Protect, Detect, Respond, and Recover functions.
Identify function mapping
About the mapping
In the tables below, I've mapped Microsoft products and architectural references to subcategories of the Identify function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I've left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.
If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.
Asset Management (ID.AM)
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
|ID.AM-1Physical devices and systems within the organization are inventoried|
|ID.AM-2Software platforms and applications within the organization are inventoried||
|ID.AM-3Organizational communication and data flows are mapped|
|ID.AM-4External information systems are catalogued|
|ID.AM-5Resources such as hardware, devices, data, and software are prioritized based on their classification, criticality, and business value|
|ID.AM-6Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders such as suppliers, customers, and partners are established|
Business Environment (ID.BE)
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
|ID.BE-1The organization’s role in the supply chain is identified and communicated|
|ID.BE-2The organization’s place in critical infrastructure and its industry sector is identified and communicated|
|ID.BE-3Priorities for organizational mission, objectives, and activities are established and communicated|
|ID.BE-4Dependencies and critical functions for delivery of critical services are established|
|ID.BE-5Resilience requirements to support delivery of critical services are established|
The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
|ID.GV-1Organizational information security policy is established|
|ID.GV-2Information security roles and responsibilities are coordinated and aligned with internal roles and external partners|
|ID.GV-3Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed|
|ID.GV-4Governance and risk management processes address cybersecurity risks|
Risk Assessment (ID.RA)
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
|ID.RA-1Asset vulnerabilities are identified and documented|
|ID.RA-2Threat and vulnerability information is received from information sharing forums and sources|
|ID.RA-3Threats, both internal and external, are identified and documented|
|ID.RA-4Potential business impacts and likelihoods are identified|
|ID.RA-5Threats, vulnerabilities, likelihoods, and impacts are used to determine risk|
|ID.RA-6Risk responses are identified and prioritized|
Risk Management Strategy (ID.RM)
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
|ID.RM-1Risk management processes are established, managed, and agreed to by organizational stakeholders|
|ID.RM-2Organizational risk tolerance is determined and clearly expressed|
|ID.RM-3The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis|