NIST Cybersecurity Framework: Tools and References from Microsoft – Respond and Recover Functions

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the framework. This is the final post in this series, addressing the Respond Function and the Recover Function.

Identify function mapping Protect function mapping Detect function mapping Learn more about the NIST Cybersecurity Framework Download the NIST Cybersecurity Framework PDF

Respond and Recover function mapping

About the mapping

In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Respond and Recover functions in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Respond (RS)

Response Planning (RS.RP)

Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.

RS.RP-1 Response plan is executed during or after an event

Microsoft Azure Security Response in the Cloud Microsoft Incident Response and Shared Responsibility Incident Response Reference Guide  Responding to Security IT Incidents Azure AD role in Incident Response Leverage Azure Security Center and Operations Management Suite for Incident Response (video) Security Incident Management in Office 365

Communications (RS.CO)

Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.

RS.CO-1 Personnel know their roles and order of operations when a response is needed
RS.CO-2Events are reported consistent with established criteria
RS.CO-3Information is shared consistent with response plans
RS.CO-4Coordination with stakeholders occurs consistent with response plans
RS.CO-5Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness	Microsoft Active Protections Program

Analysis (RS.AN)

Analysis is conducted to ensure adequate response and support recovery activities.

RS.AN-1Notifications from detection systems are investigated
RS.AN-2The impact of the incident is understood
RS.AN-3Forensics are performed	A guide to Windows Forensics Windows Security and Forensics course
RS.AN-4Incidents are categorized consistent with response plans

Mitigation (RS.MI)

Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.

RS.MI-1Incidents are contained	Responding to Security IT Incidents
RS.MI-2Incidents are mitigated	Responding to Security IT Incidents
RS.MI-3Newly identified vulnerabilities are mitigated or documented as accepted risks

Improvements (RC.IM)

Recovery planning and processes are improved by incorporating lessons learned into future activities.

RS.IM-1Response plans incorporate lessons learned
RS.IM-2Response strategies are updated

Recover (RC)

Recovery Planning (RC.RP)

Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.

RC.RP-1Recovery plan is executed during or after an event

Improvements (RC.IM)

Recovery planning and processes are improved by incorporating lessons learned into future activities.

RC.IM-1Recovery plans incorporate lessons learned
RC.IM-2Recovery strategies are updated

Communications (RC.CO)

Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

RC.CO-1Public relations are managed
RC.CO-2Reputation after an event is repaired
RC.CO-3Recovery activities are communicated to internal stakeholders and executive and management teams

Microsoft security resources

Microsoft Trust Center Microsoft Cybersecurity website Microsoft Secure website