NIST Cybersecurity Framework: Tools and References from Microsoft - Identify Function

Sergey Tsygalnitsky

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance - a set of industry standards and best practices - for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I've begun mapping Microsoft products and architectural references to subcategories of the Identify function in the Framework. There's more to come on this as I work through the Protect, Detect, Respond, and Recover functions.

Learn more about the NIST Cybersecurity Framework Download the NIST Cybersecurity Framework PDF

Identify function mapping

About the mapping

In the tables below, I've mapped Microsoft products and architectural references to subcategories of the Identify function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I've left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Asset Management (ID.AM)

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

ID.AM-1Physical devices and systems within the organization are inventoried
ID.AM-2Software platforms and applications within the organization are inventoried
ID.AM-3Organizational communication and data flows are mapped
ID.AM-4External information systems are catalogued
ID.AM-5Resources such as hardware, devices, data, and software are prioritized based on their classification, criticality, and business value
ID.AM-6Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders such as suppliers, customers, and partners are established

Business Environment (ID.BE)

The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

ID.BE-1The organization’s role in the supply chain is identified and communicated
ID.BE-2The organization’s place in critical infrastructure and its industry sector is identified and communicated
ID.BE-3Priorities for organizational mission, objectives, and activities are established and communicated
ID.BE-4Dependencies and critical functions for delivery of critical services are established
ID.BE-5Resilience requirements to support delivery of critical services are established

Governance (ID.GV)

The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

ID.GV-1Organizational information security policy is established
ID.GV-2Information security roles and responsibilities are coordinated and aligned with internal roles and external partners
ID.GV-3Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
ID.GV-4Governance and risk management processes address cybersecurity risks

Risk Assessment (ID.RA)

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1Asset vulnerabilities are identified and documented
ID.RA-2Threat and vulnerability information is received from information sharing forums and sources
ID.RA-3Threats, both internal and external, are identified and documented
ID.RA-4Potential business impacts and likelihoods are identified
ID.RA-5Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6Risk responses are identified and prioritized

Risk Management Strategy (ID.RM)

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

ID.RM-1Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2Organizational risk tolerance is determined and clearly expressed
ID.RM-3The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

Microsoft security resources

Microsoft Trust Center Microsoft Cybersecurity website Microsoft Secure website