Microsoft 365 NIST 800-53 action plan — Top priorities for your first 30 days, 90 days, and beyond

Microsoft 365 allows you to operate your enterprise with a cloud control framework, which aligns controls with multiple regulatory standards. Microsoft 365 includes Office 365, Windows 10, and Enterprise Mobility + Security. Microsoft’s internal control system is based on the National Institute of Standards and Technology (NIST) special publication 800-53, and Office 365 has been accredited to latest NIST 800-53 standard. <!---As the framework was designed to be voluntary, the NIST framework has not formalized an accreditation process. However, Microsoft has undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audit certification using the test criteria defined in NIST 800-53A (Rev. 4). --->

Microsoft is recognized as an industry leader in cloud security. Using years of experience building enterprise software and running online services, our team is constantly learning and continuously updating our services and applications to deliver a secure cloud productivity service that meets rigorous industry standards for compliance. Microsoft’s government cloud services, including Office 365 U.S. Government, meet the demanding requirements of the US Federal Risk and Authorization Management Program (FedRAMP), enabling U.S. federal agencies to benefit from the cost savings and rigorous security of the Microsoft Cloud.

This article includes a prioritized action plan you can follow as you work to meet the requirements of NIST 800-53. This action plan was developed in partnership with Protiviti, a Microsoft partner specializing in regulatory compliance. Learn more about how to use this action plan at Microsoft Ignite by attending this session: Chart your Microsoft 365 compliance path and information protection strategy, presented by Maithili Dandige (Microsoft) and Antonio Maio (Protiviti).

Action plan outcomes

These recommendations are provided across three phases in a logical order with the following outcomes.

Phase Outcomes
30 days • Understand your NIST 800-53 requirements and consider engaging with a Microsoft Advisory Partner.
• Learn and understand the Microsoft 365 built-in defense-in-depth strategy.
• Protect user and administrator access to Office 365.
• Ensure all access to the system is auditable according to your organization’s audit and accountability policies.
90 days • Enhance your anti-malware, patching, and configuration management program.
• Use Microsoft 365 security capabilities to control access to the environment and to protect organizational information and assets.
• Utilize built in auditing capabilities to monitor sensitive or risky activities within Office 365.
• Deploy Advanced Threat Protection for both links and attachments in email and Office documents.
Beyond 90 days • Use Microsoft 365 advanced tools and information protection to implement ongoing controls for devices and protection for corporate data.
• Monitor ongoing compliance across Microsoft 365 and other Cloud applications.
• Leverage enhanced threat detection and protection capabilities with advanced threat analytics to provide a robust and layered security strategy for the organization. Develop an incident response plan to mitigate the effects of compromised systems in your organization.

30 days — Powerful Quick Wins

These tasks can be accomplished quickly and have low impact to users.

Area Tasks
Understand your NIST 800-53 requirements and consider engaging with a Microsoft Advisory Partner. • Work with your Microsoft Partner to perform a gap analysis of your NIST 800-53 compliance for the organization and to develop a roadmap that charts your journey to compliance.
• Utilize guidance in Microsoft Compliance Manager and the Microsoft Service Trust Portal (STP) to define and document policies and procedures for both access control and information sharing which addresses purpose, scope, roles, responsibilities, coordination among organizational entities, and compliance.
Learn and understand the Microsoft 365 built-in defense-in-depth strategy. • Assess and manage your compliance risks by using Microsoft Compliance Manager within the Microsoft Service Trust Portal (STP) to conduct an NIST 800-53 assessment of your organization. Align Microsoft 365 security controls for managing and mitigating risks to the assessment’s outcomes.
• Utilize Microsoft Secure Score to track the organization’s usage of Microsoft 365 security capabilities over time within both Office 365 and on Windows 10 desktops.
• Learn about Microsoft’s technologies and strategies used to provide Office 365 data encryption, as well as strategies for protection against denial-of-service attacks in the Microsoft Cloud.
Protect user and administrator access to Office 365. • Establish strong credential management to protect user account credentials.
• Learn about recommended identity and device access policies for Office 365 services.
• Utilize the Office 365 administrative roles to implement role-based access to administration capabilities and to enable separation of administration duties. Note: many administrator roles in Office 365 have a corresponding role in Exchange Online, SharePoint Online, and Skype for Business Online. Segment permissions to ensure that a single administrator does not have greater access than necessary.
Ensure all access to the system is audited according to your organization’s audit and accountability policies. Enable Office 365 audit logging and mailbox auditing (for all Exchange mailboxes) to monitor Office 365 for potentially malicious activity and to enable forensic analysis of data breaches.

90 days — Enhanced Protections

These tasks take a bit more time to plan and implement.

Area Tasks
Enhance your Anti-malware, patching, and configuration management program. • Protect corporate assets and desktops by deploying and enabling Windows Defender Antivirus to your organization and leveraging its tight integration with Windows 10.
• Keep track of quarantined infected systems and prevent further damage until remediation steps are taken.
• Confidently rely on Microsoft 365 rigorous standard change management process for trusted updates, hotfixes, and patches.
Use Microsoft 365 security capabilities to control access to the environment and to protect organizational information and assets. • Implement recommended identity and device access policies to protect user and administrative accounts.
• Implement Office 365 Message Encryption (OME) capabilities to help users comply with your organization’s policies when sending sensitive data via email.
• Deploy Windows Defender Advanced Threat Protection (ATP) to all desktops for protection against malicious code, as well as data breach prevention and response.
• Configure, test and deploy Office 365 Data Loss Prevention (DLP) policies to identify, monitor and automatically protect over 80 common sensitive data types within documents and emails, including financial, medical, and personally identifiable information.
• Automatically inform email senders that they may be about to violate one of your policies — even before they send an offending message by configuring Policy Tips. Policy Tips can be configured to display a brief note (in Outlook, Outlook on the web, and OWA for devices) that provides information about possible policy violations during message creation.
• Protect sensitive corporate data and meet your organization’s information sharing policies by implementing controls for external sharing in SharePoint Online and OneDrive for Business. Ensure only authenticated external users can access corporate data.
Utilize built in auditing capabilities to monitor sensitive or risky activities within Office 365. • Enable Alert Policies in the Office 365 Security and Compliance Center to raise automatic notifications when sensitive activities occur, such as when a user's account privileges are elevated or when sensitive data is accessed. All privileged functions should be audited and monitored.
• On a regular cadence, search your Office 365 audit logs in the Office 365 Security and Compliance Center to review changes that have been made to the tenant’s configuration settings.
• For long-term storage of Office 365 audit log data, use the Office 365 Management Activity API reference to integrate with a security information and event management (SIEM) tool.
Deploy Advanced Threat Protection for both links and attachments in email and Office documents. Implement Office 365 Advanced Threat Protection (ATP) to help prevent the most common attack vectors including phishing emails and Office documents containing malicious links and attachments.

Beyond 90 Days – Ongoing Security, Data Governance, and Reporting

These actions take longer and build on previous work.

Area Tasks
Use Microsoft 365 advanced tools and information protection to implement ongoing controls for devices and protection for corporate data. • Use Microsoft Intune to protect sensitive data stored and accessed on mobile devices and to ensure compliant corporate devices are used to access cloud services.
Monitor ongoing compliance across Microsoft 365 and other Cloud applications. • To evaluate performance against the organization’s defined policies and procedures, utilize Microsoft Compliance Manager on an ongoing basis to perform regular assessments of the organization’s enforcement of information security policies.
• Use Azure AD Privileged Identity Management to control and perform regular reviews of all users and groups with high levels of permissions (ie. privileged or administrative users).
• Deploy and configure Privileged Access Management to provide granular access control over privileged admin tasks in Office 365. Once enabled, users will need to request just-in-time access to complete elevated and privileged tasks through an approval workflow that is highly scoped and time-bound.
• Audit non-owner mailbox access to identify potential leaks of information and to proactively review non-owner access on all Exchange Online mailboxes.
• Use Office 365 Alert Policies, data loss prevention reports, and Microsoft Cloud App Security to monitor your organization’s usage of cloud applications and to implement advanced alerting policies based on heuristics and user activity.
• Use Microsoft Cloud App Security to automatically track risky activities, to identify potentially malicious administrators, to investigate data breaches, or to verify that compliance requirements are being met.
Leverage enhanced threat detection and protection capabilities with advanced threat analytics to provide a robust and layered security strategy for the organization. Develop an incident response plan to mitigate the effects of compromised systems in your organization. • Deploy and configure Windows Advanced Threat Analytics to leverage rich analytics and reporting to gain critical insights into which users are being targeted in your organization and the cyber-attack methodologies being exploited.
• Leverage Office 365 Advanced Threat Protection reports and analytics to analyze threats through insights into malicious content and malicious emails automatically detected within your organization. Utilize built-in reports and message trace capabilities to investigate email messages that have been blocked due to an unknown virus or malware.
• Use Office 365 Threat Intelligence to aggregate insights and information from various sources to get a holistic view of your cloud security landscape.
Integrate Office 365 Threat Intelligence and Windows Defender Advanced Threat Protection to quickly understand if users' devices are at risk when investigating threats in Office 365.
• Simulate common attack methods within your Office 365 environment using the Office 365 Attack Simulator. Review results from attack simulations to identify training opportunities for users and to validate your organization’s incident response procedures.
• Configure permissions within the Office 365 Security and Compliance Center to ensure access to monitoring and audit data is restricted to approved users and integrated with the organization’s incident response measures.

Learn more

Learn more about Microsoft and the NIST Cyber Security Framework (CSF), including NIST 800-53.

Microsoft Trust Center