Microsoft is pleased to announce the availability of our Risk Assessment Checklist for the NIST Cybersecurity Framework (CSF) for Federal Agencies. The Checklist is available on the Service Trust Portal under "Compliance Guides". Microsoft worked with our Azure Blueprint Partner, First Information Technology Services (FITS), to develop a streamlined guide for evaluating Federal information systems against the requirements of the CSF.
The CSF checklist was initially developed by FITS for the financial industry, in response to SEC guidelines, and is used today by financial investors to determine the cybersecurity health of hedge funds and other investment assets. Microsoft and FITS collaborated to adapt that checklist for Federal Agencies. Using Microsoft's own internal CSF risk management program as a guide, we added context specific to the needs of large enterprises. Using our FedRAMP expertise we added evaluation criteria targeted at the risks faced by Federal Agencies.
The checklist is formatted to allow individual systems owners and mission staff to quickly perform the assessment; it does not require a compliance expert. Use of the checklist should make it simpler to approach a CSF evaluation, as it can be completed in hours, not the days or months required for a typical risk assessment. The checklist guidance also provides scoring recommendations to calculate the overall risk of the system. These calculations may be used by system owners to articulate and report risk relative to the CSF, as required by the Cybersecurity Executive Order: 13800.
"Using the CSF Risk Checklist, our financial services customers can quickly and efficiently make cybersecurity risk evaluations of investment assets. We designed the original checklist to be used by individual fund managers/staff, without the need for additional security or compliance experts." Keith Paige, Chief Operating Officer, First Information Technology Services
Microsoft is committed to assisting our Federal customers, who must comply with the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. We are continuing to develop tools and resources to help with both addressing the core risks outlined in the order, and implementing the NIST Cybersecurity Framework (CSF) as the order requires. Check out http://aka.ms/cybersecurityeo to find our consolidated blogs, whitepapers, videos, risk assessment templates, compliance automation software, and schedule of events related to the order. Check back weekly for new content throughout the Executive Order reporting period.