Share via

What do the NIST CSF mapping numbers (e.g., “02”) in Azure Security Assessments represent?

K.Ashok 0 Reputation points
2025-10-27T06:48:48.2133333+00:00

While reviewing Azure Cloud Security Assessments, I noticed that the mappings to NIST CSF often show numbers such as “02.” I’m unsure where to look these up to find the corresponding NIST CSF control eg: PR.DS-01. Can someone clarify what these numbers indicate or how they map to the actual NIST CSF controls?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Monalisha Jena 3,680 Reputation points Microsoft External Staff Moderator
    2025-10-27T08:15:23.8233333+00:00

    Hello K.Ashok,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. 

    I will try to clarify your doubts regarding this issue.

    So,When you see numbers like “02” in Azure Security Assessments under NIST CSF mappings, those numbers are internal reference IDs used by Microsoft. They correspond to specific NIST Cybersecurity Framework (CSF) subcategories, such as PR.DS-01 (Protect – Data Security – Protect data-at-rest). The numeric code is just a shorthand for reporting and does not replace the official NIST CSF identifier. Here The numbers like “02” in Azure Security Assessments can represent two different things, depending on where they appear:

    1. The official subcategory number when it is part of the full NIST ID (e.g., PR.DS-02).
    2. A simple sequential index/line number when it precedes the official NIST ID (e.g., 02. PR.DS-01).

    to clarify better could you confirm the exact format you are seeing in the assessment? Is the number part of the control ID (e.g., PR.DS-02) or is it a separate index number preceding the ID (e.g., 02. PR.DS-01)?"

    Because the ultimate solution relies on the official NIST CSF control identifier, regardless of any preceding index number.

    If it's part of the ID (e.g., PR.DS-02): The number "02" is the official subcategory identifier.

    NIST Component Code Meaning Example
    Function PR Protect PR.DS-02
    Function PR Protect PR.DS-02
    Category DS Data Security PR.DS-02
    Subcategory/Control 02 Control 2: Data-in-transit is protected PR.DS-02

    If it's a separate index (e.g., 02. PR.DS-01): The number "02" is a sequential line number specific to the Azure report and is not part of the NIST CSF standard. You should ignore it and look up the official control ID (PR.DS-01).

    Please refer these documents for better understanding:

    Hope this helps somehow to clarify your doubts! If it answered your question, please consider clicking Accept Answer and Upvote 👍 for it. This will help us and others in the community as well. If you need more info, feel free to ask in the comments. Happy to help!

    Regards,

    Monalisha

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.