Details of the Spain ENS Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in Spain ENS. For more information about this compliance standard, see Spain ENS. To understand Ownership, review the policy type and Shared responsibility in the cloud.
The following mappings are to the Spain ENS controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the Spain ENS Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Protective Measures
Protection of communications
ID: ENS v1 mp.com.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: All Internet traffic should be routed via your deployed Azure Firewall | Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall | AuditIfNotExists, Disabled | 3.0.0-preview |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Azure Attestation providers should disable public network access | To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.1.0 |
| Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Audit, Deny, Disabled | 3.2.1 |
| Azure SignalR Service should disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Audit, Deny, Disabled | 1.1.0 |
| Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
| Azure Web Application Firewall on Azure Front Door should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Configure key vaults to enable firewall | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Modify, Disabled | 1.1.1 |
| Configure storage accounts to disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Modify, Disabled | 1.0.1 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF | The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. | Audit, Deny, Disabled | 1.0.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| IP firewall rules on Azure Synapse workspaces should be removed | Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| MariaDB server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. | AuditIfNotExists, Disabled | 1.0.2 |
| Migrate WAF from WAF Config to WAF Policy on Application Gateway | If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. | Audit, Deny, Disabled | 1.0.0 |
| Modify Azure SignalR Service resources to disable public network access | To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Modify, Disabled | 1.1.0 |
| MySQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. | AuditIfNotExists, Disabled | 1.0.2 |
| PostgreSQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. | AuditIfNotExists, Disabled | 1.0.2 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Public network access on Azure Data Explorer should be disabled | Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.0.0 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Public network access should be disabled for IoT Central | To improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Audit, Deny, Disabled | 1.0.0 |
| Public network access should be disabled for MariaDB servers | Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
| Public network access should be disabled for MySQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.1.0 |
| Public network access should be disabled for MySQL servers | Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.0 |
| Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. | Audit, Deny, Disabled | 3.1.0 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.1 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Storage accounts should disable public network access | To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Audit, Deny, Disabled | 1.0.1 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. | AuditIfNotExists | 1.0.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
| Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Audit, Deny, Disabled | 1.0.0 |
| Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. | Audit, Deny, Disabled | 1.0.0 |
| Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Protection of communications
ID: ENS v1 mp.com.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Protection of communications
ID: ENS v1 mp.com.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | AuditIfNotExists, Disabled | 2.1.0-deprecated |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 2.0.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Protection of communications
ID: ENS v1 mp.com.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Protection of equipment
ID: ENS v1 mp.eq.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Protection of equipment
ID: ENS v1 mp.eq.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Protection of equipment
ID: ENS v1 mp.eq.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Protection of equipment
ID: ENS v1 mp.eq.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
Protection of facilities and infrastructure
ID: ENS v1 mp.if.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
| Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
| Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Protection of facilities and infrastructure
ID: ENS v1 mp.if.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
| Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Protection of facilities and infrastructure
ID: ENS v1 mp.if.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Employ automatic emergency lighting | CMA_0209 - Employ automatic emergency lighting | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Protection of facilities and infrastructure
ID: ENS v1 mp.if.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Employ automatic emergency lighting | CMA_0209 - Employ automatic emergency lighting | Manual, Disabled | 1.1.0 |
| Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Manual, Disabled | 1.1.0 |
| Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
Protection of facilities and infrastructure
ID: ENS v1 mp.if.5 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Protection of facilities and infrastructure
ID: ENS v1 mp.if.6 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Protection of facilities and infrastructure
ID: ENS v1 mp.if.7 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Information protection
ID: ENS v1 mp.info.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Manage compliance activities | CMA_0358 - Manage compliance activities | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Information protection
ID: ENS v1 mp.info.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Manual, Disabled | 1.1.1 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Information protection
ID: ENS v1 mp.info.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
Information protection
ID: ENS v1 mp.info.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Compile Audit records into system wide audit | CMA_C1140 - Compile Audit records into system wide audit | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Manual, Disabled | 1.1.0 |
Information protection
ID: ENS v1 mp.info.5 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Information protection
ID: ENS v1 mp.info.6 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.0-preview |
| [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.0-preview |
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
| Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
Staff management
ID: ENS v1 mp.per.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
| Implement personnel screening | CMA_0322 - Implement personnel screening | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
| Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
| Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
Staff management
ID: ENS v1 mp.per.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
Staff management
ID: ENS v1 mp.per.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
Staff management
ID: ENS v1 mp.per.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
| Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
Protection of services
ID: ENS v1 mp.s.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
| Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
Protection of services
ID: ENS v1 mp.s.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Manage compliance activities | CMA_0358 - Manage compliance activities | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
Protection of services
ID: ENS v1 mp.s.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service app slots should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Audit, Deny, Disabled | 1.0.0 |
| App Service app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should be injected into a virtual network | Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. | Audit, Deny, Disabled | 3.0.0 |
| App Service apps should have authentication enabled | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. | AuditIfNotExists, Disabled | 2.0.1 |
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Azure Application Gateway should have Resource logs enabled | Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Front Door should have Resource logs enabled | Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled | Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
| Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
| Azure Web Application Firewall on Azure Front Door should have request body inspection enabled | Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. | Audit, Deny, Disabled | 1.0.0 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Azure Web PubSub Service should disable public network access | Disabling public network access improves security by ensuring that Azure Web PubSub service isn't exposed on the public internet. Creating private endpoints can limit exposure of Azure Web PubSub service. Learn more at: https://aka.ms/awps/networkacls. | Audit, Deny, Disabled | 1.0.0 |
| Azure Web PubSub Service should enable diagnostic logs | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Web PubSub Service should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication. | Audit, Deny, Disabled | 1.0.0 |
| Azure Web PubSub Service should use a SKU that supports private link | With supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Deny, Disabled | 1.0.0 |
| Azure Web PubSub Service should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | Audit, Disabled | 1.0.0 |
| Configure a private DNS Zone ID for web groupID | Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure a private DNS Zone ID for web_secondary groupID | Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Azure Defender for App Service to be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | DeployIfNotExists, Disabled | 1.0.1 |
| Configure Azure Web PubSub Service to disable local authentication | Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication. | Modify, Disabled | 1.0.0 |
| Configure Azure Web PubSub Service to disable public network access | Disable public network access for your Azure Web PubSub resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/awps/networkacls. | Modify, Disabled | 1.0.0 |
| Configure Azure Web PubSub Service to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Azure Web PubSub Service with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. | DeployIfNotExists, Disabled | 1.0.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
| Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
| Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF | The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. | Audit, Deny, Disabled | 1.0.0 |
| Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
| Function app slots should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 1.0.0 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on Website | Microsoft implements this Data Quality and Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website Publication | Microsoft implements this Transparency control | audit | 1.0.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Publish Computer Matching Agreements on public website | CMA_C1829 - Publish Computer Matching Agreements on public website | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
| Web Application Firewall (WAF) should use the specified mode for Application Gateway | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. | Audit, Deny, Disabled | 1.0.0 |
| Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service | Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. | Audit, Deny, Disabled | 1.0.0 |
Protection of services
ID: ENS v1 mp.s.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | AuditIfNotExists, Disabled | 3.0.1 |
| Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Manual, Disabled | 1.1.0 |
| Develop and document a DDoS response plan | CMA_0147 - Develop and document a DDoS response plan | Manual, Disabled | 1.1.0 |
| Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF | The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. | Audit, Deny, Disabled | 1.0.0 |
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
| Public IP addresses should have resource logs enabled for Azure DDoS Protection | Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.1 |
| Virtual networks should be protected by Azure DDoS Protection | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify, Audit, Disabled | 1.0.1 |
Protection of information media
ID: ENS v1 mp.si.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
| Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Protection of information media
ID: ENS v1 mp.si.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
| Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Plan for continuance of essential business functions | CMA_C1255 - Plan for continuance of essential business functions | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
| Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Protection of information media
ID: ENS v1 mp.si.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Employ automated training environment | CMA_C1357 - Employ automated training environment | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
| Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
| Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
| Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
| Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
Protection of information media
ID: ENS v1 mp.si.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Manual, Disabled | 1.1.0 |
| Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
Protection of information media
ID: ENS v1 mp.si.5 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
Protection of IT applications
ID: ENS v1 mp.sw.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Implement controls to protect PII | CMA_C1839 - Implement controls to protect PII | Manual, Disabled | 1.1.0 |
| Incorporate security and data privacy practices in research processing | CMA_0331 - Incorporate security and data privacy practices in research processing | Manual, Disabled | 1.1.0 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Manual, Disabled | 1.1.0 |
| Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
| Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
| Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Manual, Disabled | 1.1.0 |
| Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
Protection of IT applications
ID: ENS v1 mp.sw.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Assign an authorizing official (AO) | CMA_C1158 - Assign an authorizing official (AO) | Manual, Disabled | 1.1.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
| Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Ensure resources are authorized | CMA_C1159 - Ensure resources are authorized | Manual, Disabled | 1.1.0 |
| Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Function apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | AuditIfNotExists, Disabled | 4.1.0 |
| Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
| Implement controls to protect PII | CMA_C1839 - Implement controls to protect PII | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Incorporate security and data privacy practices in research processing | CMA_0331 - Incorporate security and data privacy practices in research processing | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
| Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
| Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
| View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Operational framework
Access control
ID: ENS v1 op.acc.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Assign system identifiers | CMA_0018 - Assign system identifiers | Manual, Disabled | 1.1.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 3.1.0 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Prevent identifier reuse for the defined time period | CMA_C1314 - Prevent identifier reuse for the defined time period | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
Access control
ID: ENS v1 op.acc.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | audit | 1.0.0 |
| Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | AuditIfNotExists, Disabled | 2.1.0 |
| Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | AuditIfNotExists, Disabled | 2.0.0 |
| Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | AuditIfNotExists, Disabled | 2.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce a limit of consecutive failed login attempts | CMA_C1044 - Enforce a limit of consecutive failed login attempts | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Generate error messages | CMA_C1724 - Generate error messages | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Reveal error messages | CMA_C1725 - Reveal error messages | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Manual, Disabled | 1.1.0 |
| Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
| Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Access control
ID: ENS v1 op.acc.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Access control
ID: ENS v1 op.acc.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Access control
ID: ENS v1 op.acc.5 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 3.1.0 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce a limit of consecutive failed login attempts | CMA_C1044 - Enforce a limit of consecutive failed login attempts | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Generate error messages | CMA_C1724 - Generate error messages | Manual, Disabled | 1.1.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Reveal error messages | CMA_C1725 - Reveal error messages | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
| Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
| Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Manual, Disabled | 1.1.0 |
| Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Manual, Disabled | 1.1.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
Access control
ID: ENS v1 op.acc.6 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | AuditIfNotExists, Disabled | 2.1.0-deprecated |
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 2.0.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce a limit of consecutive failed login attempts | CMA_C1044 - Enforce a limit of consecutive failed login attempts | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Generate error messages | CMA_C1724 - Generate error messages | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
| Reveal error messages | CMA_C1725 - Reveal error messages | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Manual, Disabled | 1.1.0 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Continuity of service
ID: ENS v1 op.cont.1 Ownership: Customer
Continuity of service
ID: ENS v1 op.cont.2 Ownership: Customer
Continuity of service
ID: ENS v1 op.cont.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. | Audit, Deny, Disabled | 1.0.0-preview |
| [Preview]: Azure Recovery Services vaults should use private link for backup | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. | Audit, Disabled | 2.0.0-preview |
| [Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. | DeployIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Configure Recovery Services vaults to use private endpoints for backup | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Disable Cross Subscription Restore for Backup Vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. | Modify, Disabled | 1.1.0-preview |
| [Preview]: Immutability must be enabled for backup vaults | This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Audit, Disabled | 1.0.1-preview |
| [Preview]: Immutability must be enabled for Recovery Services vaults | This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Audit, Disabled | 1.0.1-preview |
| [Preview]: Soft delete should be enabled for Backup Vaults | This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete | Audit, Disabled | 1.0.0-preview |
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Incorporate simulated contingency training | CMA_C1260 - Incorporate simulated contingency training | Manual, Disabled | 1.1.0 |
| Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Manual, Disabled | 1.1.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1244 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1245 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1246 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1247 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1248 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1249 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1250 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1257 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1258 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1259 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1260 - Contingency Training | Simulated Events | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1261 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1262 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1263 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1267 - Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1268 - Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1272 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1273 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1274 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1279 - Telecommunications Services | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1287 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1288 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1289 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1290 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1295 - Information System Recovery And Reconstitution | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Manual, Disabled | 1.1.0 |
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
| SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Deny, Disabled | 2.0.0 |
| SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Deny, Disabled | 2.0.0 |
| Test contingency plan at an alternate processing location | CMA_C1265 - Test contingency plan at an alternate processing location | Manual, Disabled | 1.1.0 |
| Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
Continuity of service
ID: ENS v1 op.cont.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. | Audit, Deny, Disabled | 1.0.0-preview |
| [Preview]: Azure Recovery Services vaults should use private link for backup | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. | Audit, Disabled | 2.0.0-preview |
| [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region | Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.0-preview |
| [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region | Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.0-preview |
| [Preview]: Configure Recovery Services vaults to use private DNS zones for backup | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. | DeployIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Configure Recovery Services vaults to use private endpoints for backup | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Disable Cross Subscription Restore for Backup Vaults | Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. | Modify, Disabled | 1.1.0-preview |
| [Preview]: Immutability must be enabled for backup vaults | This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Audit, Disabled | 1.0.1-preview |
| [Preview]: Immutability must be enabled for Recovery Services vaults | This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. | Audit, Disabled | 1.0.1-preview |
| [Preview]: Soft delete should be enabled for Backup Vaults | This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete | Audit, Disabled | 1.0.0-preview |
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Incorporate simulated contingency training | CMA_C1260 - Incorporate simulated contingency training | Manual, Disabled | 1.1.0 |
| Initiate contingency plan testing corrective actions | CMA_C1263 - Initiate contingency plan testing corrective actions | Manual, Disabled | 1.1.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1244 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1245 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1246 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1247 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1248 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1249 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1250 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1257 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1258 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1259 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1260 - Contingency Training | Simulated Events | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1261 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1262 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1263 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1267 - Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1268 - Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1272 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1273 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1274 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1279 - Telecommunications Services | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1287 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1288 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1289 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1290 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1295 - Information System Recovery And Reconstitution | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Review the results of contingency plan testing | CMA_C1262 - Review the results of contingency plan testing | Manual, Disabled | 1.1.0 |
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
| SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Deny, Disabled | 2.0.0 |
| SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Deny, Disabled | 2.0.0 |
| Test contingency plan at an alternate processing location | CMA_C1265 - Test contingency plan at an alternate processing location | Manual, Disabled | 1.1.0 |
| Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
Operation
ID: ENS v1 op.exp.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.3.0-preview |
| [Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.5.0-preview |
| [Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.4.0-preview |
| [Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.1.0-preview |
| [Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.1.0-preview |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1222 - Information System Component Inventory | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1223 - Information System Component Inventory | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1739 - Information System Inventory | Microsoft implements this Program Management control | audit | 1.0.0 |
| Microsoft Managed Control 1854 - Inventory of Personally Identifiable Information | Microsoft implements this Security control | audit | 1.0.0 |
| Microsoft Managed Control 1855 - Inventory of Personally Identifiable Information | Microsoft implements this Security control | audit | 1.0.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Operation
ID: ENS v1 op.exp.10 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Key Vault Managed HSM keys should have an expiration date | To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Audit, Deny, Disabled | 1.0.1-preview |
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 3.1.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Azure Container Instance container group should use customer-managed key for encryption | Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled, Deny | 1.0.0 |
| Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Manual, Disabled | 1.1.0 |
| Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
| Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
| Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Implement cryptographic mechanisms | CMA_C1419 - Implement cryptographic mechanisms | Manual, Disabled | 1.1.0 |
| Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
| Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
| Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
| Key Vault keys should have an expiration date | Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. | Audit, Deny, Disabled | 1.0.2 |
| Keys should be backed by a hardware security module (HSM) | An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. | Audit, Deny, Disabled | 1.0.1 |
| Keys should be the specified cryptographic type RSA or EC | Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. | Audit, Deny, Disabled | 1.0.1 |
| Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
| Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
| Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1345 - Cryptographic Module Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1419 - Remote Maintenance | Cryptographic Protection | Microsoft implements this Maintenance control | audit | 1.0.1 |
| Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Queue Storage should use customer-managed key for encryption | Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Deny, Disabled | 1.0.0 |
| Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
| Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
| Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled | 1.0.3 |
| Table Storage should use customer-managed key for encryption | Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Deny, Disabled | 1.0.0 |
| Terminate customer controlled account credentials | CMA_C1022 - Terminate customer controlled account credentials | Manual, Disabled | 1.1.0 |
| Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
Operation
ID: ENS v1 op.exp.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | [parameters('effects')] | 1.0.3 |
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
| Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | DeployIfNotExists, Disabled | 4.0.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Manual, Disabled | 1.1.1 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Manual, Disabled | 1.1.0 |
| Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1174 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1175 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1230 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1231 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1232 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1233 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1234 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1235 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1236 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1238 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1239 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1240 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1594 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1595 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1596 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1597 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1598 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1712 - Software & Information Integrity | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1834 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Microsoft Managed Control 1835 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Microsoft Managed Control 1836 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Microsoft Managed Control 1837 - Data Retention And Disposal | System Configuration | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Restrict unauthorized software and firmware installation | CMA_C1205 - Restrict unauthorized software and firmware installation | Manual, Disabled | 1.1.0 |
| Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | DeployIfNotExists, Disabled | 1.0.0-preview |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Operation
ID: ENS v1 op.exp.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Azure Machine Learning compute instances should be recreated to get the latest software updates | Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. | [parameters('effects')] | 1.0.3 |
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 9.3.0 |
| Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | DeployIfNotExists, Disabled | 4.0.0 |
| Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Manual, Disabled | 1.1.1 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Manual, Disabled | 1.1.0 |
| Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1174 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1175 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1230 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1231 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1232 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1233 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1234 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1235 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1236 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1238 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1239 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1240 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1287 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1288 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1289 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1290 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1594 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1595 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1596 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1597 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1598 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1712 - Software & Information Integrity | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable Code | Microsoft implements this System and Information Integrity control | audit | 1.0.1 |
| Microsoft Managed Control 1834 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Microsoft Managed Control 1835 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Microsoft Managed Control 1836 - Data Retention And Disposal | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Microsoft Managed Control 1837 - Data Retention And Disposal | System Configuration | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Restrict unauthorized software and firmware installation | CMA_C1205 - Restrict unauthorized software and firmware installation | Manual, Disabled | 1.1.0 |
| Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
| Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | DeployIfNotExists, Disabled | 1.0.0-preview |
| SQL Database should avoid using GRS backup redundancy | Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Deny, Disabled | 2.0.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| SQL Managed Instances should avoid using GRS backup redundancy | Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. | Deny, Disabled | 2.0.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
| Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
| Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Operation
ID: ENS v1 op.exp.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| App Service apps that use Python should use a specified 'Python version' | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. | AuditIfNotExists, Disabled | 4.1.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Manual, Disabled | 1.1.0 |
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | DeployIfNotExists, Disabled | 4.0.0 |
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Manual, Disabled | 1.1.1 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1174 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1175 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1230 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1231 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1232 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1233 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1594 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1595 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1596 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1597 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1598 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Manual, Disabled | 1.1.0 |
| Provide timely maintenance support | CMA_C1425 - Provide timely maintenance support | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | DeployIfNotExists, Disabled | 1.0.0-preview |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Operation
ID: ENS v1 op.exp.5 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | DeployIfNotExists, Disabled | 4.0.0 |
| Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Manual, Disabled | 1.1.1 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
| Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1174 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1175 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1230 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1231 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1232 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1233 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1594 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1595 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1596 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1597 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1598 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | DeployIfNotExists, Disabled | 1.0.0-preview |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Operation
ID: ENS v1 op.exp.6 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for open-source relational databases should be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Audit, Disabled | 2.0.1 |
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL | Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | DeployIfNotExists, Disabled | 1.2.0 |
| Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | DeployIfNotExists, Disabled | 1.5.0 |
| Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | DeployIfNotExists, Disabled | 1.7.0 |
| Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | 1.1.0 |
| Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | 1.3.0 |
| Configure Azure Defender for App Service to be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | DeployIfNotExists, Disabled | 1.0.1 |
| Configure Azure Defender for Azure SQL database to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | DeployIfNotExists, Disabled | 1.0.1 |
| Configure Azure Defender for open-source relational databases to be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | DeployIfNotExists, Disabled | 1.1.0 |
| Configure Azure Defender for servers to be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | DeployIfNotExists, Disabled | 1.0.1 |
| Configure Azure Defender for SQL servers on machines to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | DeployIfNotExists, Disabled | 1.0.1 |
| Configure Azure Defender to be enabled on SQL managed instances | Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists, Disabled | 2.0.0 |
| Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | DeployIfNotExists, Disabled | 4.3.0 |
| Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | DeployIfNotExists, Disabled | 1.1.0 |
| Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | DeployIfNotExists, Disabled | 4.0.0 |
| Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | DeployIfNotExists, Disabled | 1.0.2 |
| Configure Microsoft Defender for Azure Cosmos DB to be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Microsoft Defender for Containers to be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | DeployIfNotExists, Disabled | 1.0.1 |
| Configure Microsoft Defender for Key Vault plan | Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | DeployIfNotExists, Disabled | 1.1.0 |
| Configure Microsoft Defender for SQL to be enabled on Synapse workspaces | Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Microsoft Defender for Storage (Classic) to be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | DeployIfNotExists, Disabled | 1.0.2 |
| Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | DeployIfNotExists, Disabled | 1.4.0 |
| Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | DeployIfNotExists, Disabled | 1.5.0 |
| Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | DeployIfNotExists, Disabled | 1.7.0 |
| Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | DeployIfNotExists, Disabled | 1.8.0 |
| Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | DeployIfNotExists, Disabled | 1.4.0 |
| Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
| Deploy Defender for Storage (Classic) on storage accounts | This policy enables Defender for Storage (Classic) on storage accounts. | DeployIfNotExists, Disabled | 1.0.1 |
| Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data | Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | DeployIfNotExists, Disabled | 1.0.0 |
| Enable Microsoft Defender for Cloud on your subscription | Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. | deployIfNotExists | 1.0.1 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
| Microsoft Defender CSPM should be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Defender for Azure Cosmos DB should be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces | Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers | Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. | Audit, Disabled | 1.0.1 |
| Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
| Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
| Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
| Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
| Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | DeployIfNotExists, Disabled | 1.0.0-preview |
| Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 2.0.0 |
| Windows machines should configure Windows Defender to update protection signatures within one day | To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.1 |
| Windows machines should enable Windows Defender Real-time protection | Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.1 |
Operation
ID: ENS v1 op.exp.7 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address information security issues | CMA_C1742 - Address information security issues | Manual, Disabled | 1.1.0 |
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Manual, Disabled | 1.1.0 |
| Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Manual, Disabled | 1.1.0 |
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.2.0 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Manual, Disabled | 1.1.0 |
| Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Manual, Disabled | 1.1.0 |
| Identify incident response personnel | CMA_0301 - Identify incident response personnel | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Manual, Disabled | 1.1.0 |
| Implement security directives | CMA_C1706 - Implement security directives | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Manual, Disabled | 1.1.0 |
| Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.3.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1351 - Incident Response Policy And Procedures | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1352 - Incident Response Policy And Procedures | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1353 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1354 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1355 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1356 - Incident Response Training | Simulated Events | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1358 - Incident Response Testing | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1360 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1361 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1362 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1366 - Incident Handling | Information Correlation | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1369 - Incident Monitoring | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1371 - Incident Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1372 - Incident Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1374 - Incident Response Assistance | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1378 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1379 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1380 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1381 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1382 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1383 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1384 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1385 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1386 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1387 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1388 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1389 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1391 - Information Spillage Response | Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1728 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1856 - Privacy Incident Response | Microsoft implements this Security control | audit | 1.0.0 |
| Microsoft Managed Control 1857 - Privacy Incident Response | Microsoft implements this Security control | audit | 1.0.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| Resource logs in Azure Key Vault Managed HSM should be enabled | To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. | AuditIfNotExists, Disabled | 1.1.0 |
| Resource logs in Azure Machine Learning Workspaces should be enabled | Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. | AuditIfNotExists, Disabled | 1.0.1 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
| SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 3.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Operation
ID: ENS v1 op.exp.8 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1-preview |
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
| App Service app slots should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 1.0.0 |
| Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 |
| Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
| Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Azure SignalR Service should enable diagnostic logs | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Web PubSub Service should enable diagnostic logs | Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 1.0.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Compile Audit records into system wide audit | CMA_C1140 - Compile Audit records into system wide audit | Manual, Disabled | 1.1.0 |
| Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
| Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Manual, Disabled | 1.1.0 |
| Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Manual, Disabled | 1.1.0 |
| Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
| Enforce and audit access restrictions | CMA_C1203 - Enforce and audit access restrictions | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Implement methods for consumer requests | CMA_0319 - Implement methods for consumer requests | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1 |
| Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
| Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
| Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Manual, Disabled | 1.1.0 |
| Publish access procedures in SORNs | CMA_C1848 - Publish access procedures in SORNs | Manual, Disabled | 1.1.0 |
| Publish rules and regulations accessing Privacy Act records | CMA_C1847 - Publish rules and regulations accessing Privacy Act records | Manual, Disabled | 1.1.0 |
| Resource logs in Azure Kubernetes Service should be enabled | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | AuditIfNotExists, Disabled | 1.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.1.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
| Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 2.0.0 |
| Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
| Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Manual, Disabled | 1.1.0 |
Operation
ID: ENS v1 op.exp.9 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Manual, Disabled | 1.1.0 |
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
External resources
ID: ENS v1 op.ext.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
External resources
ID: ENS v1 op.ext.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
External resources
ID: ENS v1 op.ext.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1608 - Supply Chain Protection | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
External resources
ID: ENS v1 op.ext.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 |
| Audit VMs that do not use managed disks | This policy audits VMs that do not use managed disks | audit | 1.0.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.1.0 |
| Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
| Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
| Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
| Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
System monitoring
ID: ENS v1 op.mon.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| All flow log resources should be in enabled state | Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.0.1 |
| Audit flow logs configuration for every virtual network | Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.0.1 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Manual, Disabled | 1.1.1 |
| Flow logs should be configured for every network security group | Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | Audit, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on Website | Microsoft implements this Data Quality and Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website Publication | Microsoft implements this Transparency control | audit | 1.0.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Publish Computer Matching Agreements on public website | CMA_C1829 - Publish Computer Matching Agreements on public website | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 2.0.0 |
System monitoring
ID: ENS v1 op.mon.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
System monitoring
ID: ENS v1 op.mon.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | AuditIfNotExists, Disabled | 1.0.1 |
| Configure machines to receive a vulnerability assessment provider | Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. | DeployIfNotExists, Disabled | 4.0.0 |
| Configure Microsoft Defender for Azure Cosmos DB to be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | DeployIfNotExists, Disabled | 1.0.0 |
| Correlate Vulnerability scan information | CMA_C1558 - Correlate Vulnerability scan information | Manual, Disabled | 1.1.1 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Ensure cryptographic mechanisms are under configuration management | CMA_C1199 - Ensure cryptographic mechanisms are under configuration management | Manual, Disabled | 1.1.0 |
| Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Microsoft Defender for Azure Cosmos DB should be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Managed Control 1174 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1175 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1230 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1231 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1232 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1233 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1594 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1595 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1596 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1597 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1598 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Security Center standard pricing tier should be selected | The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center | Audit, Disabled | 1.1.0 |
| Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | DeployIfNotExists, Disabled | 1.0.0-preview |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Cloud services
ID: ENS v1 op.nub.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Cloud Services (extended support) role instances should be configured securely | Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. | AuditIfNotExists, Disabled | 1.0.0 |
| Cloud Services (extended support) role instances should have system updates installed | Secure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them. | AuditIfNotExists, Disabled | 1.0.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Log Analytics agent should be installed on your Cloud Services (extended support) role instances | Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 2.0.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
Planning
ID: ENS v1 op.pl.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Assign risk designations | CMA_0016 - Assign risk designations | Manual, Disabled | 1.1.0 |
| Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
| Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
| Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
| Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | DeployIfNotExists, Disabled | 1.0.2 |
| Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Microsoft Defender CSPM should be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1538 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1539 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1540 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1541 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1542 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1543 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1544 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1545 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1743 - Risk Management Strategy | Microsoft implements this Program Management control | audit | 1.0.0 |
| Microsoft Managed Control 1744 - Risk Management Strategy | Microsoft implements this Program Management control | audit | 1.0.0 |
| Microsoft Managed Control 1745 - Risk Management Strategy | Microsoft implements this Program Management control | audit | 1.0.0 |
| Microsoft Managed Control 1802 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1803 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1804 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1805 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1806 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1807 - Governance And Privacy Program | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1808 - Privacy Impact And Risk Assessment | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1809 - Privacy Impact And Risk Assessment | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1810 - Privacy Requirements for Contractors And Service Providers | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1811 - Privacy Requirements for Contractors And Service Providers | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1812 - Privacy Monitoring And Auditing | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1813 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1814 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1815 - Privacy Awareness And Training | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1816 - Privacy Reporting | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1817 - Privacy-Enhanced System Design And Development | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1818 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1819 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1820 - Accounting of Disclosures | Microsoft implements this Accountability, Audit, and Risk Management control | audit | 1.0.0 |
| Microsoft Managed Control 1840 - Minimization of PII Used in Testing, Training, And Research | Risk Minimization Techniques | Microsoft implements this Data Minimization and Retention control | audit | 1.0.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
Planning
ID: ENS v1 op.pl.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop an enterprise architecture | CMA_C1741 - Develop an enterprise architecture | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1503 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1504 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1505 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1612 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1613 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1614 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1741 - Enterprise Architecture | Microsoft implements this Program Management control | audit | 1.0.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Manual, Disabled | 1.1.0 |
| Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Manual, Disabled | 1.1.0 |
| Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
| Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
| Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Planning
ID: ENS v1 op.pl.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
| Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
| Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
| Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
Planning
ID: ENS v1 op.pl.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
| Manage availability and capacity | CMA_0356 - Manage availability and capacity | Manual, Disabled | 1.1.0 |
| Microsoft Managed Control 1110 - Audit Storage Capacity | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
Planning
ID: ENS v1 op.pl.5 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
Organizational framework
Organizational framework
ID: ENS v1 org.1 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
| Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
| Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
| Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
| Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
| Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Designate individuals to fulfill specific roles and responsibilities | CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document and implement privacy complaint procedures | CMA_0189 - Document and implement privacy complaint procedures | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Ensure information system fails in known state | CMA_C1662 - Ensure information system fails in known state | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
| Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Manual, Disabled | 1.1.0 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Manage compliance activities | CMA_0358 - Manage compliance activities | Manual, Disabled | 1.1.0 |
| Manage security state of information systems | CMA_C1746 - Manage security state of information systems | Manual, Disabled | 1.1.0 |
| Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
| Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
| Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
| Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
| Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
Organizational framework
ID: ENS v1 org.2 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
| Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
| Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
| Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
| Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
| Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
| Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Manual, Disabled | 1.1.0 |
| Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
| Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
| Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
| Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
| Implement security directives | CMA_C1706 - Implement security directives | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
| Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
| Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
| Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
| Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
| Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
| Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
| Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
| Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
| Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
| Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
| Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Report atypical behavior of user accounts | CMA_C1025 - Report atypical behavior of user accounts | Manual, Disabled | 1.1.0 |
| Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
| Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
| Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
| Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
| Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
| Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
| Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
| View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
Organizational framework
ID: ENS v1 org.3 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
| Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
| Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
| Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
| Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
| Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
| Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Ensure access agreements are signed or resigned timely | CMA_C1528 - Ensure access agreements are signed or resigned timely | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
| Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Manual, Disabled | 1.1.1 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
| Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
| Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
| Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Manual, Disabled | 1.1.0 |
| Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Manual, Disabled | 1.1.0 |
| Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
| Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Manual, Disabled | 1.1.0 |
| Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
| Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
| Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
| Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
| Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
Organizational framework
ID: ENS v1 org.4 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
| Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
| Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
| Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
| Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
| Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
| Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
| Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
| Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
| Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
| Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
| Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
| Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
| Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
| Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
| Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
| Designate individuals to fulfill specific roles and responsibilities | CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities | Manual, Disabled | 1.1.0 |
| Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
| Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
| Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
| Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
| Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
| Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
| Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
| Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
| Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
| Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
| Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
| Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
| Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
| Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
| Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
| Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
| Document and implement privacy complaint procedures | CMA_0189 - Document and implement privacy complaint procedures | Manual, Disabled | 1.1.0 |
| Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
| Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
| Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
| Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
| Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
| Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
| Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
| Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
| Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
| Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
| Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
| Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
| Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
| Ensure privacy program information is publicly available | CMA_C1867 - Ensure privacy program information is publicly available | Manual, Disabled | 1.1.0 |
| Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
| Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
| Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
| Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
| Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
| Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
| Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
| Establish electronic signature and certificate requirements | CMA_0271 - Establish electronic signature and certificate requirements | Manual, Disabled | 1.1.0 |
| Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
| Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
| Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
| Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
| Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
| Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
| Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
| Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
| Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
| Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
| Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
| Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
| Manage security state of information systems | CMA_C1746 - Manage security state of information systems | Manual, Disabled | 1.1.0 |
| Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
| Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
| Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
| Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
| Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
| Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
| Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
| Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
| Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
| Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
| Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
| Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
| Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
| Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
| Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
| Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
| Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
| Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
| Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
| Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
| Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
| Resume all mission and business functions | CMA_C1254 - Resume all mission and business functions | Manual, Disabled | 1.1.0 |
| Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
| Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
| Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
| Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
| Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
| Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
| Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
| Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
| Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
| Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
| Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
| Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
| Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
| Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
| Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
| View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.