This chapter covers the NIST Cybersecurity Framework (CSF) as it applies to the SC-200 exam. The NIST CSF is a voluntary framework that provides a common language for managing cybersecurity risk. For the SC-200 exam, understanding the five core functions—Identify, Protect, Detect, Respond, Recover—and how they map to Microsoft security tools (like Microsoft Sentinel, Defender for Cloud, and Microsoft 365 Defender) is essential. Approximately 5-10% of exam questions touch on security frameworks and standards, with a focus on aligning Microsoft security operations to the NIST CSF.
Jump to a section
Imagine you own a house and want to protect it from burglars. You don't just buy a lock and call it done. Instead, you create a comprehensive security plan. The NIST Cybersecurity Framework (CSF) is like that blueprint. First, you Identify what you value most: jewelry, electronics, family heirlooms. You list every door, window, and vulnerable point. This is the Identify function—knowing your assets and risks. Next, you Protect by installing deadbolts, a security system, and motion-sensor lights. You also train your family to lock doors and not share codes. This mirrors the Protect function—safeguards to limit or contain the impact of an event. Then, you think about Detect: you install cameras, window sensors, and a smart alarm that alerts your phone. You check logs weekly. This is the Detect function—continuous monitoring to find anomalies. If a break-in occurs, you have a Respond plan: you call 911, review camera footage, and notify neighbors. Your plan includes steps to contain the intruder (lock internal doors) and preserve evidence. Finally, you Recover: you claim insurance, repair broken windows, and update your security based on what went wrong. This is the Recover function—restoring operations and improving. The NIST CSF is not a one-size-fits-all; you adapt it to your home's unique layout and risks, just as organizations tailor the framework to their business needs and threat landscape.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) was created by the National Institute of Standards and Technology (NIST) under Executive Order 13636 (February 2013) to improve critical infrastructure cybersecurity. The latest version is NIST CSF 2.0 (released February 2024), which expanded the framework to include a new 'Govern' function and updated guidance for supply chain risk management. For SC-200, Microsoft emphasizes alignment with NIST CSF 1.1 (still widely referenced in exam objectives), but candidates should be aware of 2.0 changes.
The Five Core Functions (1.1)
The framework is built around five concurrent and continuous functions:
Identify: Develop organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Key categories: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, Supply Chain Risk Management.
Protect: Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services. Categories: Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, Protective Technology.
Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Categories: Anomalies and Events, Security Continuous Monitoring, Detection Processes.
Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Categories: Response Planning, Communications, Analysis, Mitigation, Improvements.
Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Categories: Recovery Planning, Improvements, Communications.
How NIST CSF Works Internally
The framework is not a checklist but a risk-based approach. Organizations select Target Profiles (desired state) and compare them to Current Profiles (as-is state) to identify gaps. Implementation Tiers (Partial, Risk-Informed, Repeatable, Adaptive) describe how deeply the organization integrates risk management. The CSF uses informative references (e.g., NIST SP 800-53, ISO 27001, COBIT) to map controls to functions.
Mapping to Microsoft Security Tools (SC-200 Focus)
SC-200 expects you to know how Microsoft security solutions support each NIST CSF function:
Identify: Microsoft Defender for Cloud (assess security posture, identify misconfigurations), Microsoft 365 Defender (inventory devices, users), Microsoft Sentinel (understand threat landscape via threat intelligence).
Protect: Microsoft Entra ID (Identity Protection, Conditional Access), Microsoft Defender for Office 365 (anti-phishing, safe attachments), Microsoft Defender for Endpoint (attack surface reduction rules, vulnerability management), Microsoft Purview Information Protection (data classification and labeling).
Detect: Microsoft Sentinel (SIEM, analytics rules, UEBA), Microsoft 365 Defender (detection across endpoints, email, identity, cloud apps), Microsoft Defender for Cloud (alerts on misconfigurations and threats).
Respond: Microsoft Sentinel (incident management, automation with playbooks), Microsoft 365 Defender (automated investigation and response), Microsoft Defender for Endpoint (live response, isolation).
Recover: Microsoft Sentinel (backup and restore of analytics rules, workbooks), Microsoft 365 Backup (Microsoft 365 data recovery), Azure Site Recovery (disaster recovery for on-premises workloads).
Key Components, Values, Defaults, and Timers
NIST CSF 2.0 Govern Function: Adds oversight of cybersecurity risk management, including organizational context, risk management strategy, and supply chain risk management.
Implementation Tiers: 4 tiers (Partial, Risk-Informed, Repeatable, Adaptive). Tier 1: No formal risk management. Tier 4: Organization adapts in real-time based on lessons learned.
Informative References: Over 50 standards, guidelines, and practices mapped to the framework. For SC-200, focus on NIST SP 800-53 (security controls), NIST SP 800-171 (controlled unclassified information), and ISO 27001.
Common Exceptions: The framework does not prescribe specific technologies; it is technology-agnostic. The exam may test that NIST CSF is not a regulation but a voluntary framework (though some US federal agencies require it via Executive Order).
Configuration and Verification Commands
While NIST CSF is not a product, you can use Microsoft tools to assess compliance:
Microsoft Defender for Cloud: Regulatory compliance dashboard includes NIST SP 800-53 and NIST CSF built-in initiatives. To view: Azure Portal > Defender for Cloud > Regulatory compliance > Select NIST CSF. Assign the policy initiative via Azure Policy.
Microsoft Sentinel: Use the NIST CSF workbook (deploy from Content Hub) to visualize coverage. Deploy via: Sentinel > Content hub > Search 'NIST' > Install workbook.
Microsoft 365 Defender: Use Secure Score to track actions aligned to NIST functions. Secure Score recommendations map to controls like enabling MFA (Protect) or turning on audit logging (Detect).
Interaction with Related Technologies
NIST CSF complements other frameworks and regulations: - NIST SP 800-53: Provides specific security controls that map to CSF functions. For example, AC-2 (Account Management) maps to Protect. - ISO 27001: Annex A controls align with CSF. Organizations often use CSF for high-level strategy and ISO for certification. - CIS Controls: A prioritized set of actions that directly support CSF functions. For instance, CIS Control 4 (Controlled Use of Administrative Privileges) supports Protect. - Microsoft’s Cloud Adoption Framework (CAF): Includes security considerations aligned to CSF. CAF’s Secure methodology maps to Identify (governance) and Protect (security baseline).
Exam-Specific Details
NIST CSF Version: SC-200 currently tests on version 1.1, but 2.0 is increasingly referenced. Know the five functions of 1.1 and the addition of Govern in 2.0.
Common Wrong Answers: Candidates often confuse NIST CSF with NIST SP 800-171 (which focuses on CUI) or NIST SP 800-53 (which is a catalog of controls). The CSF is a framework, not a control set.
Trap: Questions may ask 'Which NIST function ensures data is backed up?' The answer is Recover (not Protect). Backup is a protective measure, but the function that deals with restoration is Recover.
Edge Cases: The framework is 'risk-based'—meaning it does not require 100% compliance; it prioritizes based on risk. Exam questions may test that the CSF is adaptable and not prescriptive.
Identify Assets and Risks
In this step, the organization catalogs all assets (hardware, software, data, people) and identifies risks to those assets. For SC-200, this maps to using Microsoft Defender for Cloud to discover resources and assess vulnerabilities. At the packet level, no network traffic occurs; this is a governance step. Key activities: asset inventory, risk assessment, and business impact analysis. The output is a Current Profile. Defenders should use tools like Defender for Cloud's inventory and Secure Score to understand the attack surface. Common mistake: skipping asset discovery leads to blind spots in detection.
Implement Protective Safeguards
Based on the risks identified, deploy controls to limit impact. This includes identity protection (MFA via Entra ID), endpoint hardening (attack surface reduction rules in Defender for Endpoint), and data protection (sensitivity labels in Purview). In production, configure Conditional Access policies to block high-risk sign-ins. At the protocol level, MFA involves RADIUS or SAML traffic. Key default: Microsoft recommends enforcing MFA for all users. Wrong answer: thinking antivirus alone is sufficient—Protect includes multiple layers.
Enable Continuous Detection
Set up monitoring to detect anomalies. In Microsoft Sentinel, create analytics rules for known attack patterns (e.g., brute force attempts). Enable Microsoft 365 Defender to correlate alerts across domains. At the network level, this involves ingesting logs from firewalls, endpoints, and cloud apps via connectors. Key timers: Sentinel analytics rules evaluate every 5 minutes by default. Alert threshold: e.g., 10 failed logins in 5 minutes triggers an incident. Common trap: relying on a single detection source; the exam emphasizes multi-source detection.
Execute Incident Response
When an incident is detected, the Respond function kicks in. Use Microsoft Sentinel's incident management to triage and assign. Automate response with playbooks (Logic Apps) that isolate compromised endpoints or disable user accounts. At the packet level, isolation involves sending a command via Defender for Endpoint API to the device. Key metric: Mean Time to Respond (MTTR). Wrong answer: thinking manual response is acceptable—automation is emphasized for speed.
Recover and Improve
After containment, restore services from backups and apply lessons learned. In Microsoft 365, use the Recycle Bin or eDiscovery to recover deleted data. Update analytics rules based on the incident. At the infrastructure level, recover virtual machines using Azure Site Recovery. Key default: backup retention periods (e.g., 30 days for Microsoft 365). Common mistake: failing to document lessons learned, leading to repeat incidents.
Scenario 1: Financial Institution Adopting NIST CSF A bank with 10,000 employees and 500+ applications uses NIST CSF to streamline security operations. They use Microsoft Defender for Cloud to continuously assess their Azure resources against the NIST SP 800-53 regulatory compliance initiative. They deployed Microsoft Sentinel as their SIEM, ingesting logs from on-premises firewalls, Azure AD, and AWS. The security team created a NIST CSF workbook in Sentinel to track coverage across functions. They found they were weak in the 'Detect' function—only 40% of required analytics rules were active. They implemented 30 new rules, including one for anomalous logins from non-compliant devices. After a ransomware incident, they used the Respond function to automatically isolate affected endpoints via Defender for Endpoint. The recovery involved restoring encrypted files from Microsoft 365 Backup. The bank now runs quarterly profile assessments to close gaps. What goes wrong: If the bank fails to update the Current Profile after changes, they might miss new risks. Scale: Ingesting 50 GB/day of logs requires Sentinel capacity planning (pay-as-you-go or reserved capacity).
1. Exactly What SC-200 Tests on NIST CSF The exam objective 'Describe security frameworks and standards' (part of domain 'Manage security operations') asks you to:
Identify the five core functions of NIST CSF 1.1.
Recognize that NIST CSF is a voluntary framework, not a regulation.
Map Microsoft security solutions to each function (e.g., Microsoft Defender for Cloud for Identify, Microsoft 365 Defender for Detect).
Understand the difference between NIST CSF and other standards (e.g., ISO 27001, NIST SP 800-53).
Know that NIST CSF 2.0 added a sixth function: Govern.
2. Common Wrong Answers and Why Candidates Choose Them - Wrong: 'NIST CSF is a regulation.' Many candidates confuse it with FedRAMP or HIPAA. Reality: It is voluntary, though some US agencies require it via executive order. - Wrong: 'The five functions are sequential.' The functions are concurrent and continuous. Candidates think of them as a linear process (identify first, then protect, etc.), but they operate in parallel. - Wrong: 'Microsoft Sentinel is only for Detect.' While Sentinel is primarily for detection and response, it also supports Identify (threat intelligence) and Recover (backup of analytics rules). The exam tests that tools support multiple functions. - Wrong: 'NIST CSF requires specific controls like MFA.' The framework does not mandate specific controls; it provides a taxonomy. Controls are chosen based on risk.
3. Specific Numbers, Values, and Terms on the Exam - NIST CSF 1.1: 5 functions, 23 categories, 108 subcategories. - NIST CSF 2.0: 6 functions (added Govern), 22 categories, 106 subcategories. - Implementation Tiers: 1 (Partial), 2 (Risk-Informed), 3 (Repeatable), 4 (Adaptive). - The term 'Informative References' appears in questions about mapping controls.
4. Edge Cases and Exceptions - The framework is technology-agnostic—do not assume it is only for cloud. - Supply chain risk management is part of Identify (1.1) or a separate function in 2.0. - The CSF does not replace an organization's risk management process; it complements it.
5. How to Eliminate Wrong Answers Using Mechanism If a question asks 'Which function ensures data is backed up?', think: Backup is a safeguard (Protect), but the function that deals with restoration after an incident is Recover. The exam may ask: 'Which function includes activities to restore services after a cybersecurity event?' The answer is Recover. Eliminate Identify (inventory), Protect (safeguards), Detect (monitoring), and Respond (immediate action).
NIST CSF 1.1 has five core functions: Identify, Protect, Detect, Respond, Recover.
NIST CSF 2.0 added a sixth function: Govern.
The framework is voluntary, risk-based, and technology-agnostic.
Microsoft Defender for Cloud provides regulatory compliance assessments for NIST SP 800-53 (mapped to CSF).
Microsoft Sentinel offers a NIST CSF workbook for visualizing coverage.
Implementation Tiers: 1 (Partial) to 4 (Adaptive).
The functions are concurrent, not sequential.
Common exam trap: confusing NIST CSF with NIST SP 800-53 or SP 800-171.
Microsoft 365 Defender supports Protect (MFA, attack surface reduction) and Detect (alerts).
Recover function includes backup restoration and lessons learned.
These come up on the exam all the time. Here's how to tell them apart.
NIST CSF 1.1
Five functions: Identify, Protect, Detect, Respond, Recover.
23 categories, 108 subcategories.
Govern is not a separate function; governance is implied across functions.
Supply chain risk management is a category under Identify.
Still widely referenced in SC-200 exam objectives.
NIST CSF 2.0
Six functions: added Govern as a new function.
22 categories, 106 subcategories (restructured).
Govern function explicitly addresses organizational context, risk management strategy, and supply chain.
Supply chain risk management elevated to a category under Govern.
Increasingly referenced; candidates should be aware of changes.
Mistake
NIST CSF is only for US government agencies.
Correct
The framework is voluntary and used globally by private and public sectors. It was initially designed for critical infrastructure but adapted for all organizations.
Mistake
The five functions must be implemented in order: Identify first, then Protect, etc.
Correct
The functions are concurrent and continuous. An organization can improve multiple functions simultaneously.
Mistake
NIST CSF provides specific technical controls like 'enable MFA'.
Correct
The framework does not prescribe controls. It provides a taxonomy and references other standards (e.g., NIST SP 800-53) for specific controls.
Mistake
Compliance with NIST CSF means you are fully secure.
Correct
The framework is risk-based; it aims to manage risk, not eliminate it. Full compliance does not guarantee security.
Mistake
Microsoft Sentinel is only used for the Detect function.
Correct
Sentinel supports multiple functions: Identify (threat intelligence), Detect (analytics), Respond (incident management, playbooks), and Recover (backup of configurations).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The five functions are Identify, Protect, Detect, Respond, and Recover. They provide a high-level, strategic view of an organization's cybersecurity risk management. On the SC-200 exam, you must be able to list them and map Microsoft security tools to each. For example, Microsoft Defender for Cloud helps with Identify by assessing resources, and Microsoft Sentinel supports Detect with analytics rules.
Microsoft Sentinel supports multiple functions: Identify (threat intelligence from feeds), Protect (via integration with Defender for Cloud), Detect (analytics rules, UEBA), Respond (incident management, automation with playbooks), and Recover (backup of workbooks and analytics rules). You can deploy the NIST CSF workbook from the Content Hub to visualize coverage.
No, NIST CSF is a voluntary framework. However, some U.S. federal agencies and critical infrastructure owners may be required to adopt it via executive orders or contracts. The SC-200 exam tests this distinction: it is a framework, not a regulation.
NIST CSF is a high-level framework that organizes cybersecurity activities into functions and categories. NIST SP 800-53 is a catalog of specific security controls (e.g., access control, audit). The CSF uses SP 800-53 as an informative reference. For SC-200, know that Defender for Cloud includes built-in compliance initiatives for both NIST SP 800-53 and CSF.
The Govern function is new in version 2.0. It addresses organizational context, cybersecurity risk management strategy, and supply chain risk management. It is meant to emphasize that cybersecurity governance is a foundational element that influences all other functions. For SC-200, be aware of this addition but focus on the five functions of 1.1.
Use Implementation Tiers: 1 (Partial), 2 (Risk-Informed), 3 (Repeatable), 4 (Adaptive). Compare your Current Profile to a Target Profile. In Microsoft tools, Secure Score provides a numeric score that can be mapped to tiers, and Defender for Cloud's regulatory compliance dashboard shows compliance percentage against NIST controls.
Candidates often confuse NIST CSF functions with specific controls. For example, they might think 'backup' belongs to Protect when it actually belongs to Recover. Also, many think the functions are sequential. Remember: they are concurrent and continuous.
You've just covered NIST Cybersecurity Framework for SC-200 — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?