NIST Cybersecurity Framework: Tools and References from Microsoft - Protect Function

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the Framework.

This post addresses the Protect function. Read my post about the Identify function mapping, and look for posts over the next few weeks covering the Detect, Respond, and Recover functions.

Identify function mapping (Part 1) Learn more about the NIST Cybersecurity Framework Download the NIST Cybersecurity Framework PDF

Protect function mapping

About the mapping

In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Protect function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Access Control (PR.AC)

Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.

PR.AC-1Identities and credentials are managed for authorized devices and users	Best Practices for Securing Active Directory Microsoft Identity Manager: Connect your Directories Connect Active Directory with Azure Active Directory Azure Active Directory – Group Management Automated User Provisioning and Deprovisioning to SaaS Apps Azure AD Join (Devices) Enroll devices for management in Microsoft Intune Control Access to Azure IoT Hub Azure IoT Hub – Device Identity Registry Azure AD Privileged Identity Management Privileged Access Management for Active Directory Domain Services
PR.AC-2Physical access to assets is managed and protected	Protecting Data in Azure (Page 23, Physical Security)
PR.AC-3Remote access is managed	Conditional Access in Azure AD Remote Desktop Services in Server 2016 Server 2016: Web Application Proxy Secure Remote Access to on-premises applications: Azure AD App Proxy Azure Security – Remote Management Cloud App Security – Cloud App Governance and Control Device Compliance Policies for Conditional Access
PR.AC-4Access permissions are managed, incorporating the principles of least privilege and separation of duties	Just Enough Administration (PowerShell - White Paper and Resources) Just Enough Administration: Step by Step Windows Server: Dynamic Access Control Microsoft Azure: Role Based Access Control Azure AD Privileged Identity Management Privileged Access Management for Active Directory Domain Services
PR.AC-5Network integrity is protected, incorporating network segregation where appropriate	Microsoft Azure: Secure network with virtual appliances Microsoft Cloud Services and Network Security Azure Network Security Best Practices Azure Network Security Whitepaper

Awareness and Training (PR.AT)

The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.

PR.AT-1All users are informed and trained
PR.AT-2Privileged users understand roles and responsibilities
PR.AT-3Third-party stakeholders such as suppliers, customers, and partners understand roles and responsibilities
PR.AT-4 Senior executives understand roles and responsibilities
PR.AT-5Physical and information security personnel understand roles and responsibilities

Data Security (PR.DS)

Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

PR.DS-1Data at rest is protected	Windows Server 2016: Full disk Encryption with Bitlocker –How to install Windows 10 Full disk encryption - BitLocker Shielded VMs in Windows Server 2016 Azure disk encryption for IaaS VMs Azure Storage Service Encryption for data at rest Azure Storage Security Guide SQL Server Encryption Azure Information Protection - File Classification and Protection Windows Information Protection Encryption in Office 365 Azure Backup Data Encryption Microsoft Trust Center – Encryption Secure Mobile Devices with Microsoft Intune Cloud App Security – Govern Connected SaaS apps Azure SQL Transparent Data Encryption
PR.DS-2Data in transit is protected	Azure VPN Gateway Azure ExpressRoute Office 365 Message Encryption Data Encryption SharePoint Online and OneDrive for Business SMB Encryption Remote Desktop Protocol Encryption Encrypting Connections to SQL Server Microsoft Trust Center – Encryption Internet Protocol Security (IPSec)
PR.DS-3Assets are formally managed throughout removal, transfers, and disposition	Protecting Data in Azure (Page 18, Media Destruction)
PR.DS-4Adequate capacity to ensure availability is maintained	Azure Subscription Service Limits Server 2016 Locks and Limits Exchange Online Limits SQL Server 2016 Limits Operations Management Suite (OMS): Hyper-V Capacity Management Solution Systems Center Operations Manager: Monitoring
PR.DS-5Protections against data leaks are implemented	Office 365 Data Loss Prevention Microsoft Intune Mobile Application Management and Data Loss Prevention Windows Information Protection Microsoft Cloud App Security and Data Loss Prevention
PR.DS-6Integrity checking mechanisms are used to verify software, firmware, and information integrity	Windows Device Guard Introduction to Code Signing Signing PowerShell Scripts, Part 1 Signing PowerShell Scripts, Part 2 Deploying code integrity policies
PR.DS-7The development and testing environment(s) are separate from the production environment	Azure DevTest Labs Use DevOps environments effectively for your web apps MSDN/Visual Studio subscription (Dev/Test tools, licenses, and cloud services)

Information Protection Processes and Procedures (PR.IP)

Security policies (addressing purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities); processes; and procedures are maintained and used to manage protection of information systems and assets.

PR.IP-1A baseline configuration of information technology/industrial control systems is created and maintained	Windows Security Baseline Azure Automation Desired State Configuration PowerShell Desired State Configuration Compliance Settings in System Center Configuration Manager Change Tracking with OMS - Log Analytics Azure Security Center - Common Configuration Identifiers and Baseline Rules
PR.IP-2A System Development Life Cycle to manage systems is implemented	Microsoft Security Development Lifecycle Security Development Lifecycle Tools
PR.IP-3Configuration change control processes are in place	Change Management for Enterprise: Office 365 Incident and Change Management with System Center Service Manager How Microsoft IT approaches Organization Change Management Skype for Business Change Management and Adoption Managing Changed and Activities with System Center
PR.IP-4Backups of information are conducted, maintained, and tested periodically	System Center Data Protection Manager Azure Backup
PR.IP-5Policy and regulations regarding the physical operating environment for organizational assets are met	Azure Security, Privacy, and Compliance Whitepaper Security and Compliance in Office 365
PR.IP-6Data is destroyed according to policy	Retention Policies in Office 365 Compliance Center Protecting Data in Microsoft Azure (See Media Destruction and Data Deletion)
PR.IP-7Protection processes are continuously improved	Office 365 Secure Score Microsoft Enterprise Cloud Red Teaming (PDF download) Penetration testing of your Azure hosted Applications
PR.IP-8Effectiveness of protection technologies is shared with appropriate parties
PR.IP-9Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed	Microsoft Azure Security Response in the Cloud Office 365 Security Incident Management Responding to Security IT Incidents Azure Site Recovery
PR.IP-10Response and recovery plans are tested	Test Failover to Azure in Site Recovery
PR.IP-11Cybersecurity is included in human resources practices (for example, deprovisioning and personnel screening)
PR.IP-12A vulnerability management plan is developed and implemented	Vulnerability Assessment in Azure Security Center Vulnerabilities detected by Azure AD Identity Protection System Center Configuration Manager Vulnerability Assessment Pack

Maintenance (PR.MA)

Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.

PR.MA-1Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools	Azure Security and Audit Log Management
PR.MA-2Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access	Azure AD B2B Azure Security and Audit Log Management

Protective Technology (PR.PT)

Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

PR.PT-1Audit/log records are determined, documented, implemented, and reviewed in accordance with policy	Azure Security and Audit Log Management Microsoft Azure log integration and Security Information and Event  Management (SIEM) systems Office 365 Audit logs Azure log analytics Active Directory Auditing Windows Server 2016 Security Auditing Azure Information Protection Logging Cloud App Security - Governance and Audit for Microsoft and 3rd party SaaS apps Cloud App Security SIEM integration SQL Server Audit Microsoft Dynamics Auditing Overview
PR.PT-2Removable media is protected and its use restricted according to policy	BitLocker Policy reference – Windows 10 (See the Removable Drive section) Control Access to Removable Media (Group Policy)
PR.PT-3Access to systems and assets is controlled, incorporating the principle of least functionality	Application Whitelisting with Windows 10 Device Guard, AppLocker, and Configuration Manager AppLocker: Application Whitelisting Server 2016 Hardening Guideline
PR.PT-4Communications and control networks are protected	Creating and using network isolated environments (SCVMM, Hyper-V) Introduction to Server and Domain Isolation (reference) Azure Network Security Whitepaper

Microsoft security resources

Microsoft Trust Center Microsoft Cybersecurity website Microsoft Secure website