NIST Cybersecurity Framework (CSF)

NIST CSF overview

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was published in February 2014 as guidance for critical infrastructure organizations to better understand, manage, and reduce their cybersecurity risks. The CSF was developed in response to the Presidential Executive Order on Improving Critical Infrastructure Security, which was issued in February 2013. NIST released the CSF Version 1.1 in April 2018, incorporating feedback received since the original CSF release. An Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure signed in May 2017 requires US government agencies to use the NIST CSF or any successor document when conducting risk assessments for agency systems. Each agency head is required to produce a risk management report documenting cybersecurity risk mitigation and describing the agency’s action plan to implement the CSF.

The NIST CSF references globally recognized standards including NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations. Each control within the CSF is mapped to corresponding NIST 800-53 controls within the US Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.

Azure and NIST CSF

FedRAMP was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the NIST SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). Given the close alignment between NIST CSF and NIST SP 800-53 controls, existing Azure FedRAMP High authorizations provide strong customer assurances that Azure services in FedRAMP audit scope conform to the NIST CSF risk management practices.

An accredited third-party assessment organization (3PAO) has attested that Azure cloud services conform to the NIST CSF risk management practices, as defined in the NIST CSF version 1.1. Implementation of the FedRAMP High baseline controls ensures that Azure commercial and Azure Government cloud environments integrate the NIST CSF to provide reliability and resilience within their critical infrastructures.

Moreover, Microsoft has developed a NIST CSF Customer Responsibility Matrix (CRM) that lists all control requirements that depend on customer implementation, shared responsibility controls, and control implementation details for controls owned by Microsoft. You can download the NIST CSF CRM from the Service Trust Portal Blueprints section under NIST CSF Blueprints.

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives, which map to NIST SP 800-53 compliance domains and controls in Azure and Azure Government:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each NIST SP 800-53 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Applicability

  • Azure
  • Azure Government

Services in scope

  • Azure services in scope for NIST CSF reflect the Azure FedRAMP High P-ATO scope.
  • Azure Government services in scope for NIST CSF reflect the Azure Government FedRAMP High P-ATO scope.

For more information, see Cloud services in audit scope.

Office 365 and NIST CSF

For more information about Office 365 compliance, see Office 365 NIST CSF documentation.

Attestation documents

For instructions on how to access attestation documents, see Audit documentation. The following attestation letters are available from the Service Trust Portal (STP) United States Government section:

  • Azure Commercial – Attestation of Compliance with NIST CSF
  • Azure Government – Attestation of Compliance with NIST CSF

An accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government conform to the NIST CSF risk management practices.

Frequently asked questions

Has an independent assessor validated that Azure supports NIST CSF requirements?
Yes, an accredited third-party assessment organization (3PAO) has attested that Azure cloud services conform to the NIST CSF risk management practices, as defined in the NIST CSF version 1.1. Implementation of the FedRAMP High baseline controls ensures that Azure commercial and Azure Government cloud environments integrate the NIST CSF to provide reliability and resilience within their critical infrastructures.

How can I get the Azure NIST CSF attestation documents?
For links to audit documentation, see Attestation documents.

How does Azure demonstrate alignment with NIST CSF?
NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risks. Each control within the CSF is mapped to corresponding NIST 800-53 controls within the FedRAMP Moderate control baseline. Both Azure and Azure Government maintain a FedRAMP High P-ATO. Given the close alignment between NIST CSF and NIST SP 800-53 that provides a control baseline for FedRAMP, existing Azure and Azure Government FedRAMP High authorizations provide strong customer assurances that Azure services in FedRAMP audit scope conform to the NIST CSF risk management practices. Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure and Azure Government cloud service offerings conform to the NIST CSF risk management practices.

Which organizations are deemed by the United States Government to be critical infrastructure?
According to Presidential Policy Directive 21 (PPD-21), there are 16 critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear (Reactors, Materials, and Waste), Transportation Systems, and Water (and Wastewater Systems).

Resources