National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

NIST CSF overview

The National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidance to help organizations assess risk. In response to Executive Order 13636 on strengthening the cybersecurity of federal networks and critical infrastructure, NIST released the Framework for Improving Critical Infrastructure Cybersecurity (FICIC) in February 2014.

The main priorities of the FICIC were to establish a set of standards and practices to help organizations manage cybersecurity risk, while enabling business efficiency. The NIST Framework addresses cybersecurity risk without imposing additional regulatory requirements for both government and private sector organizations.

The FICIC references globally recognized standards including NIST SP 800-53 found in Appendix A of the NIST's Framework for Improving Critical Infrastructure Cybersecurity. Each control within the FICIC framework is mapped to corresponding NIST 800-53 controls within the FedRAMP Moderate Baseline.

Microsoft and the NIST CSF

NIST Cybersecurity Framework (CSF) is a voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. Microsoft Cloud services have undergone independent, third-party FedRAMP Moderate and High Baseline audits and are certified according to the FedRAMP standards. Also, through a validated assessment performed by HITRUST, a leading security and privacy standards development and accreditation organization, Office 365 is certified to the objectives specified in the NIST CSF.

Learn how to accelerate your NIST Cybersecurity Framework deployment with Compliance Score and our Azure Security and Compliance Blueprint:

Microsoft in-scope cloud services

Audit cycle and certification

The NIST CSF certification of Office 365 is valid for two years.

Quickly build NIST CSF solutions on Azure

The NIST Cybersecurity Framework (CSF) standard can be challenging in the cloud. Fortunately, with Azure you'll have a head start the Azure Security and Compliance NIST CSF Blueprint. This blueprint provides tools and guidance to get you started building NIST CSF-compliant solutions today.

Perform risk assessment on Office 365 using NIST CSF in Compliance Score

Cybersecurity remains a critical management issue in the era of digital transforming. To help you implement and verify security controls for your Office 365 tenant, Microsoft provides recommended customer actions in the NIST CSF Assessment in Compliance Score.

Frequently asked questions

Has an independent assessor validated that Azure Government, Dynamics 365, and Office 365 support NIST CSF requirements?

Yes, a third-party assessment organization has attested that the Azure Government cloud service offering conforms to the NIST Cybersecurity Framework (CSF) risk management practices, as defined in the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, dated February 12, 2014. The NIST CSF is mapped to FedRAMP Moderate controls framework and an independent assessor has assessed Dynamics 365 against the FedRAMP Moderate baseline. Also, Office 365 obtained the NIST CSF letter of certification from HITRUST in June 2018.

How do Microsoft Cloud Services demonstrate compliance with the framework?

Using the formal audit reports prepared by third parties for the FedRAMP accreditation, Microsoft can show how relevant controls noted within these reports demonstrate compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity. Audited controls implemented by Microsoft serve to ensure the confidentiality, integrity, and availability of data stored, processed, and transmitted by Azure, Office 365, and Dynamics 365 that have been identified as the responsibility of Microsoft.

What are Microsoft's responsibilities for maintaining compliance with this initiative?

Participation in the FICIC is voluntary. However, Microsoft ensures that Azure, Office 365, and Dynamics 365 meet the terms defined within the governing Online Services Terms and applicable service level agreements. These define Microsoft's responsibility for implementing and maintaining controls adequate to secure the Azure platform and monitor the system.

Can I use Microsoft's compliance for my organization?

Yes. The independent third-party compliance reports to the FedRAMP standards attest to the effectiveness of the controls Microsoft has implemented to maintain the security and privacy of the Microsoft Cloud Services. Microsoft customers may use the audited controls described in these related reports as part of their own FedRAMP and NIST FICIC's risk analysis and qualification efforts.

Which organizations are deemed by the United States Government to be critical infrastructure?

According to the Department of Homeland Security, these include organizations in the following sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear (Reactors Materials and Waste), Transportation Systems and Water (and Wastewater).

What are the in-scope services for Office 365?

The in-scope services of NIST CSF certification are Exchange Online Archiving, Exchange Online Protection, Exchange Online, Skype for Business, Admin Center, SharePoint Online, Project Online, OneDrive for Business, Office Online, MyAnalytics, Microsoft Teams, Microsoft 365 Apps for enterprise in Office 365 Multi-tenant cloud and Office 365 GCC.


Microsoft 365 Apps for enterprise enables access to various cloud services, such as Roaming Settings, Licensing, and OneDrive consumer cloud storage, and may enable access to additional cloud services in the future. Roaming Settings and Licensing support the standards for HITRUST. OneDrive consumer cloud storage does not, and other cloud services that are accessible through Microsoft 365 Apps for enterprise and that Microsoft may offer in the future also may not, support these standards.*

Why are some Office 365 services not in the scope of this certification?

Microsoft provides the most comprehensive offerings compared to other cloud service providers. To keep up with our broad compliance offerings across regions and industries, we include services in the scope of our assurance efforts based on the market demand, customer feedback, and product lifecycle. If a service is not included in the current scope of a specific compliance offering, your organization has the responsibility to assess the risks based on your compliance obligations and determine the way you process data in that service. We continuously collect feedback from customers and work with regulators and auditors to expand our compliance coverage to meet your security and compliance needs.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.