Introduction
Keeping your employees and organization secure without compromising productivity is a challenge.
Microsoft 365 security solutions are designed to help you adhere to industry and government
standards and frameworks that have been developed to simplify security for organizations and provide
insight and guidance for IT pros.
In this document, we have mapped Microsoft 365 security solutions to the National Institute
of Standards and Technology Cybersecurity Framework (NIST CSF). The NIST CSF is a guide for
organizations to manage and reduce cybersecurity risk. Developed through a collaboration
among industry leaders, academics, and government stakeholders, it is a thorough cybersecurity
implementation guide for the United States government, and used by enterprises worldwide. The
most current version of the NIST CSF is the NIST CSF Version 1.1, updated in April 2018.
The CSF is founded on two core NIST documents: the NIST SP 800-53 Rev 4 and the Risk Management
Framework (RMF), which also references the NIST SP 800-53, among others. Each of these documents—
the NIST CSF, the NIST SP 800-53, and the RMF—informs the review process for the Federal Risk
and Authorization Management Program (FedRAMP). FedRAMP is a government-wide program that
provides a standardized approach to security assessment, authorization, and continuous monitoring
for cloud products and services, and is now considered the primary certification process for cloudbased solutions. Mapping your security solutions to the NIST CSF can help you achieve FedRAMP
certification and provide a framework for a holistic security strategy. Although Microsoft isn’t endorsing
this framework—there are other standards for cybersecurity protection—we find it helpful as a baseline
against commonly used scenarios.
Below, we offer guidance to help you best use Microsoft 365 security solutions to address each
category within four NIST CSF core actions: Identify, Protect, Detect, and Respond. Regardless of the
size of your business, this framework will guide you in deploying security solutions that are right for
your organization.
This guide will help you get started with your Microsoft 365 security solutions, explain how these
products work together in the greater enterprise environment, and provide insight into the most
effective security scenarios you can enable for your organization.