With the release of the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, agencies have new requirements to meet and document compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Agencies have a limited window to document their current risk posture and plans to fully comply with the Executive Order. Additionally, agencies are required by policy to "show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services."
Azure Government provides the answer to adhere to both the requirement for using shared services as well as one of the key findings that "Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor's support lifecycle, declining to implement a vendor's security patch, or failing to execute security-specific configuration guidance." A future blog post will provide further guidance on how Azure Government satisfies this critical need.
Today we release an Azure Blueprint Customer Responsibilities Matrix for the NIST CSF. The Matrix explicitly identifies the NIST CSF controls where an agency customer holds responsibility for control implementation. The CRM also provides detail on controls that Microsoft Azure implements on the customer's behalf and how Azure Government meets the NIST CSF requirements. The Customer Responsibilities Matrix can be leveraged by government agencies along with the newly released NIST Interagency Report (NISTIR) 8170, The Cybersecurity Framework: Implementation Guidance for Federal Agencies to provide guidance on implementing controls to satisfy the NIST CSF requirements.
For access to the NIST Cybersecurity Framework Customer Responsibilities Matrix, or to provide feedback on the documentation, please e-mail AzureBlueprint@Microsoft.com.
We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click "Subscribe by Email" on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.