NIST Cybersecurity Framework (CSF)

NIST CSF overview

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was published in February 2014 as guidance for critical infrastructure organizations to better understand, manage, and reduce their cybersecurity risks. The CSF was developed in response to the Presidential Executive Order on Improving Critical Infrastructure Security, which was issued in February 2013. NIST released the CSF Version 1.1 in April 2018, incorporating feedback received since the original CSF release. An Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure signed in May 2017 requires US government agencies to use the NIST CSF or any successor document when conducting risk assessments for agency systems. Each agency head is required to produce a risk management report documenting cybersecurity risk mitigation and describing the agency’s action plan to implement the CSF.

The NIST CSF references globally recognized standards including NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations. Each control within the CSF is mapped to corresponding NIST 800-53 controls within the US Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.

Azure and NIST CSF

FedRAMP was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the NIST SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). Given the close alignment between NIST CSF and NIST SP 800-53 controls, existing Azure FedRAMP High authorizations provide strong customer assurances that Azure services in FedRAMP audit scope conform to the NIST CSF risk management practices.

An accredited third-party assessment organization (3PAO) has attested that Azure cloud services conform to the NIST CSF risk management practices, as defined in the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, dated February 12, 2014. The Azure NIST CSF control mapping demonstrates alignment of the Azure FedRAMP authorized services against the CSF Core. During this assessment, Microsoft also used the NIST CSF Draft Version 1.1, which includes guidance for a new Supply Chain Risk Management category and three additional subcategories.

Moreover, Microsoft has developed a NIST CSF Customer Responsibility Matrix (CRM) that lists all control requirements that depend on customer implementation, shared responsibility controls, and control implementation details for controls owned by Microsoft. You can download the NIST CSF CRM from the Service Trust Portal Blueprints section under NIST CSF Blueprints.

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives, which map to NIST SP 800-53 compliance domains and controls in Azure and Azure Government:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each NIST SP 800-53 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Applicability

  • Azure
  • Azure Government

Services in scope

  • Azure services in scope for NIST CSF reflect Azure FedRAMP High scope.
  • Azure Government services in scope for NIST CSF reflect Azure Government FedRAMP High scope.

Office 365 and NIST CSF

For more information about Office 365 compliance, see Office 365 NIST CSF documentation.

Attestation documents

For instructions on how to access attestation documents using the Azure or Azure Government portal, see Audit documentation. The following documents are available:

  • Azure Commercial – Attestation of Compliance with NIST CSF (available from the Azure portal)
  • Azure Government – Attestation of Compliance with NIST CSF (available from the Azure Government portal)

An accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government cloud services conform to the NIST CSF risk management practices.

Frequently asked questions

Has an independent assessor validated that Azure supports NIST CSF requirements?
Yes, an accredited third-party assessment organization (3PAO) has attested that Azure cloud services conform to the NIST CSF risk management practices, as defined in the NIST CSF Version 1.0, dated February 12, 2014. The Azure NIST CSF control mapping demonstrates alignment of the Azure FedRAMP authorized services against the CSF Core. During this assessment, Microsoft also used the NIST CSF Draft Version 1.1, which includes guidance for a new Supply Chain Risk Management category and three additional subcategories.

Where can I get the Azure NIST CSF attestation documents?
For links to audit documentation, see Attestation documents. You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

How does Azure demonstrate alignment with NIST CSF?
NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risks. Each control within the CSF is mapped to corresponding NIST 800-53 controls within the FedRAMP Moderate control baseline. Both Azure and Azure Government maintain a FedRAMP High P-ATO. Given the close alignment between NIST CSF and NIST SP 800-53 that provides a control baseline for FedRAMP, existing Azure FedRAMP High authorizations provide strong customer assurances that Azure services in FedRAMP audit scope conform to the NIST CSF risk management practices. Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure cloud services conform to the NIST CSF risk management practices.

Which organizations are deemed by the United States Government to be critical infrastructure?
According to Presidential Policy Directive 21 (PPD-21), there are 16 critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear (Reactors, Materials, and Waste), Transportation Systems, and Water (and Wastewater Systems).

Resources