FITS is proud to broadcast our partnership with Microsoft Azure Government in the creation of their new Risk Assessment Checklist for the NIST Cybersecurity Framework (CSF). This document was created in response to the Presidential Executive Order enacted on May 11, 2017, concerning risk assessments, shared IT services, and action towards conforming to NIST’s CSF. We worked with Microsoft to adapt our CSF checklist, made for the investment management industry, for use by Federal Agencies to evaluate the security of their information systems and cloud operations. It is important that agencies are able to quickly act on this Executive Order and do so without having to hire a compliance engineer, making this checklist an essential tool to their IT security and compliance.
Below is Microsoft’s blog post announcing the release of the CSF Checklist:
Microsoft is pleased to announce the availability of our Risk Assessment Checklist for the NIST Cybersecurity Framework (CSF) for Federal Agencies. The Checklist is available on the Service Trust Portal under “Compliance Guides”. Microsoft worked with our Azure Blueprint Partner, First Information Technology Services (FITS), to develop a streamlined guide for evaluating Federal information systems against the requirements of the CSF.
The CSF checklist was initially developed by FITS for the financial industry, in response to SEC guidelines, and is used today by financial investors to determine the cybersecurity health of hedge funds and other investment assets. Microsoft and FITS collaborated to adapt that checklist for Federal Agencies. Using Microsoft’s own internal CSF risk management program as a guide, we added context specific to the needs of large enterprises. Using our FedRAMP expertise we added evaluation criteria targeted at the risks faced by Federal Agencies.
The checklist is formatted to allow individual systems owners and mission staff to quickly perform the assessment; it does not require a compliance expert. Use of the checklist should make it simpler to approach a CSF evaluation, as it can be completed in hours, not the days or months required for a typical risk assessment. The checklist guidance also provides scoring recommendations to calculate the overall risk of the system. These calculations may be used by system owners to articulate and report risk relative to the CSF, as required by the Cybersecurity Executive Order: 13800.
“Using the CSF Risk Checklist, our financial services customers can quickly and efficiently make cybersecurity risk evaluations of investment assets. We designed the original checklist to be used by individual fund managers/staff, without the need for additional security or compliance experts.” Keith Paige, Chief Operating Officer, First Information Technology Services
Microsoft is committed to assisting our Federal customers, who must comply with the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. We are continuing to develop tools and resources to help with both addressing the core risks outlined in the order, and implementing the NIST Cybersecurity Framework (CSF) as the order requires. Check out http://aka.ms/cybersecurityeo to find our consolidated blogs, whitepapers, videos, risk assessment templates, compliance automation software, and schedule of events related to the order. Check back weekly for new content throughout the Executive Order reporting period.
Microsoft’s original blog post can be found here: Evaluating Risk with the NIST Cybersecurity Framework Risk Assessment Checklist
For a helpful description of the Executive Order and its impact, read Azure Government CISO Matt Rathbun’s op-ed: How Microsoft’s Azure platform can help agencies with the Cybersecurity EO