A logo represent compliance

NIST Cybersecurity Framework (CSF)

Microsoft Cloud Services meet the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

Microsoft and the NIST CSF

NIST Cybersecurity Framework (CSF) is a voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. Microsoft Cloud services have undergone independent, third-party FedRAMP Moderate and High Baseline audits and are certified according to the FedRAMP standards. Additionally, through a validated assessment performed by HITRUST, a leading security and privacy standards development and accreditation organization, Office 365 is certified to the objectives specified in the NIST CSF.

Learn how to accelerate your NIST Cybersecurity Framework deployment with Compliance Manager and our Azure Security and Compliance Blueprint:

Download the Azure Security and Compliance Blueprint - NIST CSF Risk Assessment ChecklistLearn more about the NIST CSF assessment for Office 365 in Compliance Manager

Microsoft in-scope cloud services

  • Azure Government detailed list
  • Dynamics 365 for Government detailed list
  • Office 365 and Office 365 U.S. Government (detailed list in FAQs below)

Audit cycle and certification

The NIST CSF certification of Office 365 is valid for two years.

couple in business attire walking past an office building

Quickly build NIST CSF solutions on Azure

The NIST Cybersecurity Framework (CSF) standard can be challenging in the cloud. Fortunately, with Azure you’ll have a head start the Azure Security and Compliance NIST CSF Blueprint. This blueprint provides tools and guidance to get you started building NIST CSF-compliant solutions today.

Start using the Azure NIST CSF Blueprint


Perform risk assessment on Office 365 using NIST CSF in Compliance Manager

Cybersecurity remains a critical management issue in the era of digital transforming. To help you implement and verify security controls for your Office 365 tenant, Microsoft provides recommended customer actions in the NIST CSF Assessment in Compliance Manager.

Start using Compliance Manager

NIST CSF Overview

The National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidance to help organizations assess risk. In response to Executive Order 13636 on strengthening the cybersecurity of federal networks and critical infrastructure, NIST released the Framework for Improving Critical Infrastructure Cybersecurity (FICIC) in February 2014.

The main priorities of the FICIC were to establish a set of standards and practices to help organizations manage cybersecurity risk, while enabling business efficiency. The NIST Framework addresses cybersecurity risk without imposing additional regulatory requirements for both government and private sector organizations.

The FICIC references globally-recognized standards including NIST SP 800-53 found in Appendix A of the NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity. Each control within the FICIC framework is mapped to corresponding NIST 800-53 controls within the FedRAMP Moderate Baseline.

one person sitting at conference table in active discussion with two others
one person sitting at conference table in active discussion with two others

Manage your compliance from one place

Perform ongoing risk assessment, get actionable insights, and simplify your compliance process when using Microsoft cloud services with Compliance Manager.

Try Compliance Manager nowRead the Security, Privacy and Compliance blog

Frequently asked questions

Expand all

Yes, a third-party assessment organization has attested that the Azure Government cloud service offering conforms to the NIST Cybersecurity Framework (CSF) risk management practices, as defined in the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, dated February 12, 2014. The NIST CSF is mapped to FedRAMP Moderate controls framework and an independent assessor has assessed Dynamics 365 against the FedRAMP Moderate baseline. Additionally, Office 365 obtained the NIST CSF letter of certification from HITRUST in June 2018.

Using the formal audit reports prepared by third parties for the FedRAMP accreditation, Microsoft can show how relevant controls noted within these reports demonstrate compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity. Audited controls implemented by Microsoft serve to ensure the confidentiality, integrity, and availability of data stored, processed, and transmitted by Azure, Office 365, and Dynamics 365 that have been identified as the responsibility of Microsoft.

Participation in the FICIC is voluntary. However, Microsoft ensures that Azure, Office 365, and Dynamics 365 meet the terms defined within the governing Online Services Terms and applicable service level agreements. These define Microsoft’s responsibility for implementing and maintaining controls adequate to secure the Azure platform and monitor the system.

Yes. The independent third-party compliance reports to the FedRAMP standards attest to the effectiveness of the controls Microsoft has implemented to maintain the security and privacy of the Microsoft Cloud Services. Microsoft customers may leverage the audited controls described in these related reports as part of their own FedRAMP and NIST FICIC’s risk analysis and qualification efforts.

According to the Department of Homeland Security, these include organizations in the following sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear (Reactors Materials and Waste), Transportation Systems and Water (and Wastewater).

The in-scope services of NIST CSF certification are Exchange Online Archiving, Exchange Online Protection, Exchange Online, Skype for Business, Admin Center, SharePoint Online, Project Online, OneDrive for Business, Office Online, MyAnalytics, Microsoft Teams, Office ProPlus* in Office 365 Multi-tenant cloud and Office 365 GCC.

*Office 365 ProPlus enables access to various cloud services, such as Roaming Settings, Licensing, and OneDrive consumer cloud storage, and may enable access to additional cloud services in the future. Roaming Settings and Licensing support the standards for HITRUST. OneDrive consumer cloud storage does not, and other cloud services that are accessible through Office 365 ProPlus and that Microsoft may offer in the future also may not, support these standards.

Microsoft provides the most comprehensive offerings compared to other cloud service providers. To keep up with our broad compliance offerings across regions and industries, we include services in the scope of our assurance efforts based on the market demand, customer feedback, and product lifecycle. If a service is not included in the current scope of a specific compliance offering, your organization has the responsibility to assess the risks based on your compliance obligations and determine the way you process data in that service. We continuously collect feedback from customers and work with regulators and auditors to expand our compliance coverage to meet your security and compliance needs.