Updated again: 7/10/2017
In light of Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the NIST Cybersecurity Framework (CSF) is once again top of mind for our community. At Microsoft, we maintain a dedicated CSF program, integrated into the overall risk management function of our enterprise. We understand the challenges posed to our customers by the executive order, and we are here to help. As referenced on the Microsoft Trust Center:
"Microsoft has integrated the National Institute of Standards & Technology's (NIST) Cybersecurity Framework into our enterprise risk-management program to inform and influence our security risk practices. Using the NIST Cybersecurity Framework to evaluate the security maturity of our products enables teams across the company to share a better understanding of our security capabilities. The framework facilitates conversations about the maturity of our enterprise-level security, helping us structure and maintain consistent security methodology and terminology. The NIST Cybersecurity Framework is also a key component in how we track security assurance and communicate about security maturity."
Last week, we released an Azure Blueprint Customer Responsibilities Matrix for the NIST CSF which paves a clear path for agencies to comply with the order. This week I am pleased to announce that Azure has augmented our enterprise CSF program; our third-party assessment organization independently attested to Azure's compliance with the CSF. The attestation letter is available on the Service Trust Portal under "Assessment Reports". Additionally, Azure cloud services have been certified against the key standards used as informative references in the CSF, including but not limited to ISO 27001, SOC 1, SOC 2, FedRAMP Moderate and FedRAMP High.
Azure's alignment with the NIST CSF is another example of our commitment to enable federal agencies, and customers operating in critical infrastructure sectors, to meet their compliance obligations by leveraging the most trusted and compliant platform for mission critical services. Over the coming weeks we will release additional guidance to assist customers with responding to the cybersecurity executive order, publish software resources to automate compliance with the CSF, produce walkthrough videos of advanced Azure Government capabilities, and sponsor events to encourage dialog within the cybersecurity community. An initial list of content slated for the first few weeks of this campaign is included below. We will be releasing content through the end of July so check back for more information.
- Blog - Azure Blueprint illustrates the clear path to meet the Cybersecurity Executive Order
- Blog - Azure Government, Supporting Critical Missions with the NIST CSF
- Op-Ed - How Microsoft's Azure Platform can Help Agencies with the Cybersecurity EO
- Guide for performing an initial NIST CSF risk assessment
- NIST CSF Compliance: Identify Function
- Event Webinar on meeting the Cybersecurity Executive Order with Azure Government
The NIST Cybersecurity Framework Customer Responsibilities Matrix is available on the Service Trust Portal under Trust Documents. To provide feedback on the documentation, please e-mail AzureBlueprint@Microsoft.com.
We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click "Subscribe by Email!" on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.