Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2. To understand Ownership, review the policy type and Shared responsibility in the cloud.

The following mappings are to the HIPAA HITRUST 9.2 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the HITRUST/HIPAA Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Privilege Management

The organization facilitates information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions.

ID: 1149.01c2System.9 - 01.c Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.4

Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply.

ID: 1154.01c3System.4 - 01.c Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0

User Authentication for External Connections

Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use.

ID: 1117.01j1Organizational.23 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization.

ID: 1173.01j1Organizational.6 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

The organization protects wireless access to systems containing sensitive information by authenticating both users and devices.

ID: 1174.01j1Organizational.7 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations.

ID: 1176.01j2Organizational.5 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually.

ID: 1177.01j2Organizational.6 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

User Identification and Authentication

Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated.

ID: 11110.01q1Organizational.6 - 01.q Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0

The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else.

ID: 11208.01q1Organizational.8 - 01.q Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.

ID: 11210.01q2Organizational.10 - 01.q Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. auditIfNotExists 2.0.0

Signed electronic records shall contain information associated with the signing in human-readable format.

ID: 11211.01q2Organizational.11 - 01.q Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. auditIfNotExists 2.0.0

01 Information Protection Program

0101.00a1Organizational.123-00.a 0.01 Information Security Management Program

ID: 0101.00a1Organizational.123-00.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

0102.00a2Organizational.123-00.a 0.01 Information Security Management Program

ID: 0102.00a2Organizational.123-00.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program

ID: 0103.00a3Organizational.1234567-00.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0

0104.02a1Organizational.12-02.a 02.01 Prior to Employment

ID: 0104.02a1Organizational.12-02.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

0105.02a2Organizational.1-02.a 02.01 Prior to Employment

ID: 0105.02a2Organizational.1-02.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign risk designations CMA_0016 - Assign risk designations Manual, Disabled 1.1.0
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0

0106.02a2Organizational.23-02.a 02.01 Prior to Employment

ID: 0106.02a2Organizational.23-02.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0

0107.02d1Organizational.1-02.d 02.03 During Employment

ID: 0107.02d1Organizational.1-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0

0108.02d1Organizational.23-02.d 02.03 During Employment

ID: 0108.02d1Organizational.23-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Implement security testing, training, and monitoring plans CMA_C1753 - Implement security testing, training, and monitoring plans Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Require developers to provide training CMA_C1611 - Require developers to provide training Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Review security testing, training, and monitoring plans CMA_C1754 - Review security testing, training, and monitoring plans Manual, Disabled 1.1.0

0109.02d1Organizational.4-02.d 02.03 During Employment

ID: 0109.02d1Organizational.4-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

0110.02d2Organizational.1-02.d 02.03 During Employment

ID: 0110.02d2Organizational.1-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0

0111.02d2Organizational.2-02.d 02.03 During Employment

ID: 0111.02d2Organizational.2-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

01110.05a1Organizational.5-05.a 05.01 Internal Organization

ID: 01110.05a1Organizational.5-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

01111.05a2Organizational.5-05.a 05.01 Internal Organization

ID: 01111.05a2Organizational.5-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0

0112.02d2Organizational.3-02.d 02.03 During Employment

ID: 0112.02d2Organizational.3-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Enforce appropriate usage of all accounts CMA_C1023 - Enforce appropriate usage of all accounts Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Manual, Disabled 1.1.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0

0113.04a1Organizational.123-04.a 04.01 Information Security Policy

ID: 0113.04a1Organizational.123-04.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

0114.04b1Organizational.1-04.b 04.01 Information Security Policy

ID: 0114.04b1Organizational.1-04.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

0115.04b2Organizational.123-04.b 04.01 Information Security Policy

ID: 0115.04b2Organizational.123-04.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

0116.04b3Organizational.1-04.b 04.01 Information Security Policy

ID: 0116.04b3Organizational.1-04.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0

0117.05a1Organizational.1-05.a 05.01 Internal Organization

ID: 0117.05a1Organizational.1-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0

0118.05a1Organizational.2-05.a 05.01 Internal Organization

ID: 0118.05a1Organizational.2-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

0119.05a1Organizational.3-05.a 05.01 Internal Organization

ID: 0119.05a1Organizational.3-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0

0120.05a1Organizational.4-05.a 05.01 Internal Organization

ID: 0120.05a1Organizational.4-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Manual, Disabled 1.1.0
Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Manual, Disabled 1.1.0
Employ business case to record the resources required CMA_C1735 - Employ business case to record the resources required Manual, Disabled 1.1.0
Ensure capital planning and investment requests include necessary resources CMA_C1734 - Ensure capital planning and investment requests include necessary resources Manual, Disabled 1.1.0
Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0

0121.05a2Organizational.12-05.a 05.01 Internal Organization

ID: 0121.05a2Organizational.12-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0

0122.05a2Organizational.3-05.a 05.01 Internal Organization

ID: 0122.05a2Organizational.3-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0

0123.05a2Organizational.4-05.a 05.01 Internal Organization

ID: 0123.05a2Organizational.4-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Manual, Disabled 1.1.0

0124.05a3Organizational.1-05.a 05.01 Internal Organization

ID: 0124.05a3Organizational.1-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0

0125.05a3Organizational.2-05.a 05.01 Internal Organization

ID: 0125.05a3Organizational.2-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept assessment results CMA_C1150 - Accept assessment results Manual, Disabled 1.1.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0

0135.02f1Organizational.56-02.f 02.03 During Employment

ID: 0135.02f1Organizational.56-02.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

0137.02a1Organizational.3-02.a 02.01 Prior to Employment

ID: 0137.02a1Organizational.3-02.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0

0162.04b1Organizational.2-04.b 04.01 Information Security Policy

ID: 0162.04b1Organizational.2-04.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0

0165.05a3Organizational.3-05.a 05.01 Internal Organization

ID: 0165.05a3Organizational.3-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0

0177.05h1Organizational.12-05.h 05.01 Internal Organization

ID: 0177.05h1Organizational.12-05.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept assessment results CMA_C1150 - Accept assessment results Manual, Disabled 1.1.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

0178.05h1Organizational.3-05.h 05.01 Internal Organization

ID: 0178.05h1Organizational.3-05.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0

0179.05h1Organizational.4-05.h 05.01 Internal Organization

ID: 0179.05h1Organizational.4-05.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Implement plans of action and milestones for security program process CMA_C1737 - Implement plans of action and milestones for security program process Manual, Disabled 1.1.0

0180.05h2Organizational.1-05.h 05.01 Internal Organization

ID: 0180.05h2Organizational.1-05.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0

02 Endpoint Protection

0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0201.09j1Organizational.124-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. deployIfNotExists 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, Disabled 1.0.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0202.09j1Organizational.3-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adjust level of audit review, analysis, and reporting CMA_C1123 - Adjust level of audit review, analysis, and reporting Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Integrate Audit record analysis CMA_C1120 - Integrate Audit record analysis Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Specify permitted actions associated with customer audit information CMA_C1122 - Specify permitted actions associated with customer audit information Manual, Disabled 1.1.0

0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0204.09j2Organizational.1-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Verify security functions CMA_C1708 - Verify security functions Manual, Disabled 1.1.0

0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0205.09j2Organizational.2-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0206.09j2Organizational.34-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0207.09j2Organizational.56-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0208.09j2Organizational.7-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

0209.09m3Organizational.7-09.m 09.06 Network Security Management

ID: 0209.09m3Organizational.7-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate information sharing decisions CMA_0028 - Automate information sharing decisions Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Facilitate information sharing CMA_0284 - Facilitate information sharing Manual, Disabled 1.1.0
Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Manual, Disabled 1.1.0
Train staff on PII sharing and its consequences CMA_C1871 - Train staff on PII sharing and its consequences Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0214.09j1Organizational.6-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0215.09j2Organizational.8-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0216.09j2Organizational.9-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0217.09j2Organizational.10-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0219.09j2Organizational.12-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code

ID: 0225.09k1Organizational.1-09.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code

ID: 0226.09k1Organizational.2-09.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code

ID: 0227.09k2Organizational.12-09.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code

ID: 0228.09k2Organizational.3-09.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

03 Portable Media Security

0301.09o1Organizational.123-09.o 09.07 Media Handling

ID: 0301.09o1Organizational.123-09.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0

0302.09o2Organizational.1-09.o 09.07 Media Handling

ID: 0302.09o2Organizational.1-09.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

0303.09o2Organizational.2-09.o 09.07 Media Handling

ID: 0303.09o2Organizational.2-09.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

0304.09o3Organizational.1-09.o 09.07 Media Handling

ID: 0304.09o3Organizational.1-09.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts deny 1.0.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.0
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.1

0305.09q1Organizational.12-09.q 09.07 Media Handling

ID: 0305.09q1Organizational.12-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

0306.09q1Organizational.3-09.q 09.07 Media Handling

ID: 0306.09q1Organizational.3-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate information sharing decisions CMA_0028 - Automate information sharing decisions Manual, Disabled 1.1.0
Ensure authorized users protect provided authenticators CMA_C1339 - Ensure authorized users protect provided authenticators Manual, Disabled 1.1.0
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Facilitate information sharing CMA_0284 - Facilitate information sharing Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0

0307.09q2Organizational.12-09.q 09.07 Media Handling

ID: 0307.09q2Organizational.12-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0

0308.09q3Organizational.1-09.q 09.07 Media Handling

ID: 0308.09q3Organizational.1-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

0314.09q3Organizational.2-09.q 09.07 Media Handling

ID: 0314.09q3Organizational.2-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

04 Mobile Device Security

0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking

ID: 0401.01x1System.124579-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking

ID: 0403.01x1System.8-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

0405.01y1Organizational.12345678-01.y 01.07 Mobile Computing and Teleworking

ID: 0405.01y1Organizational.12345678-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking

ID: 0407.01y2Organizational.1-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0

0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking

ID: 0408.01y3Organizational.12-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

0409.01y3Organizational.3-01.y 01.07 Mobile Computing and Teleworking

ID: 0409.01y3Organizational.3-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking

ID: 0410.01x1System.12-01.xMobileComputingandCommunications Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking

ID: 0415.01y1Organizational.10-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking

ID: 0416.01y3Organizational.4-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

0417.01y3Organizational.5-01.y 01.07 Mobile Computing and Teleworking

ID: 0417.01y3Organizational.5-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

0425.01x1System.13-01.x 01.07 Mobile Computing and Teleworking

ID: 0425.01x1System.13-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking

ID: 0426.01x2System.1-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking

ID: 0427.01x2System.2-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking

ID: 0428.01x2System.3-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking

ID: 0429.01x1System.14-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations.

ID: 1401.05i1Organizational.1239 - 05.i Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0

Remote access connections between the organization and external parties are encrypted.

ID: 1402.05i1Organizational.45 - 05.i Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0

Access granted to external parties is limited to the minimum necessary and granted only for the duration required.

ID: 1403.05i1Organizational.67 - 05.i Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0

ID: 1418.05i1Organizational.8 - 05.i Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1

05 Wireless Security

0504.09m2Organizational.5-09.m 09.06 Network Security Management

ID: 0504.09m2Organizational.5-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

0505.09m2Organizational.3-09.m 09.06 Network Security Management

ID: 0505.09m2Organizational.3-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

06 Configuration Management

0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0601.06g1Organizational.124-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0602.06g1Organizational.3-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0603.06g2Organizational.1-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0604.06g2Organizational.2-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Analyse data obtained from continuous monitoring CMA_C1169 - Analyse data obtained from continuous monitoring Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors for continuous monitoring CMA_C1168 - Employ independent assessors for continuous monitoring Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

0605.10h1System.12-10.h 10.04 Security of System Files

ID: 0605.10h1System.12-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0
Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0613.06h1Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0613.06h1Organizational.12-06.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0614.06h2Organizational.12-06.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

0615.06h2Organizational.3-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0615.06h2Organizational.3-06.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

0618.09b1System.1-09.b 09.01 Documented Operating Procedures

ID: 0618.09b1System.1-09.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

0626.10h1System.3-10.h 10.04 Security of System Files

ID: 0626.10h1System.3-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

0627.10h1System.45-10.h 10.04 Security of System Files

ID: 0627.10h1System.45-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

0628.10h1System.6-10.h 10.04 Security of System Files

ID: 0628.10h1System.6-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes

ID: 0635.10k1Organizational.12-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes

ID: 0636.10k2Organizational.1-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes

ID: 0637.10k2Organizational.2-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes

ID: 0638.10k2Organizational.34569-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes

ID: 0639.10k2Organizational.78-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes

ID: 0640.10k2Organizational.1012-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes

ID: 0641.10k2Organizational.11-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes

ID: 0642.10k3Organizational.12-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes

ID: 0643.10k3Organizational.3-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes

ID: 0644.10k3Organizational.4-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information

ID: 0662.09sCSPOrganizational.2-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. AuditIfNotExists, Disabled 1.0.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

0663.10h1System.7-10.h 10.04 Security of System Files

ID: 0663.10h1System.7-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

0669.10hCSPSystem.1-10.h 10.04 Security of System Files

ID: 0669.10hCSPSystem.1-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

0670.10hCSPSystem.2-10.h 10.04 Security of System Files

ID: 0670.10hCSPSystem.2-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

0671.10k1System.1-10.k 10.05 Security In Development and Support Processes

ID: 0671.10k1System.1-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

0672.10k3System.5-10.k 10.05 Security In Development and Support Processes

ID: 0672.10k3System.5-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Prohibit binary/machine-executable code CMA_C1717 - Prohibit binary/machine-executable code Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 068.06g2Organizational.34-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors for continuous monitoring CMA_C1168 - Employ independent assessors for continuous monitoring Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0

069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 069.06g2Organizational.56-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

07 Vulnerability Management

0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets

ID: 0701.07a1Organizational.12-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

0702.07a1Organizational.3-07.a 07.01 Responsibility for Assets

ID: 0702.07a1Organizational.3-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0

0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets

ID: 0703.07a2Organizational.1-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets

ID: 0704.07a3Organizational.12-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets

ID: 0705.07a3Organizational.3-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0

0706.10b1System.12-10.b 10.02 Correct Processing in Applications

ID: 0706.10b1System.12-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0

0708.10b2System.2-10.b 10.02 Correct Processing in Applications

ID: 0708.10b2System.2-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management

ID: 0709.10m1Organizational.1-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management

ID: 0710.10m2Organizational.1-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1

0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management

ID: 0711.10m2Organizational.23-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0

0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management

ID: 0712.10m2Organizational.4-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management

ID: 0713.10m2Organizational.5-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate flaw remediation CMA_0027 - Automate flaw remediation Manual, Disabled 1.1.0
Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0

0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management

ID: 0714.10m2Organizational.7-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management

ID: 0716.10m3Organizational.1-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0

0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management

ID: 0717.10m3Organizational.2-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0

0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management

ID: 0718.10m3Organizational.34-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate flaw remediation CMA_0027 - Automate flaw remediation Manual, Disabled 1.1.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0

0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management

ID: 0719.10m3Organizational.5-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1

0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets

ID: 0720.07a1Organizational.4-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

0722.07a1Organizational.67-07.a 07.01 Responsibility for Assets

ID: 0722.07a1Organizational.67-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Manual, Disabled 1.1.0
Restrict use of open source software CMA_C1237 - Restrict use of open source software Manual, Disabled 1.1.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0

0723.07a1Organizational.8-07.a 07.01 Responsibility for Assets

ID: 0723.07a1Organizational.8-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0

0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets

ID: 0724.07a3Organizational.4-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets

ID: 0725.07a3Organizational.5-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

0733.10b2System.4-10.b 10.02 Correct Processing in Applications

ID: 0733.10b2System.4-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

0786.10m2Organizational.13-10.m 10.06 Technical Vulnerability Management

ID: 0786.10m2Organizational.13-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0

0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management

ID: 0787.10m2Organizational.14-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate flaw remediation CMA_0027 - Automate flaw remediation Manual, Disabled 1.1.0
Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Manual, Disabled 1.1.0

0788.10m3Organizational.20-10.m 10.06 Technical Vulnerability Management

ID: 0788.10m3Organizational.20-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0

0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management

ID: 0790.10m3Organizational.22-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications

ID: 0791.10b2Organizational.4-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

08 Network Protection

0805.01m1Organizational.12-01.m 01.04 Network Access Control

ID: 0805.01m1Organizational.12-01.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.1
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

0806.01m2Organizational.12356-01.m 01.04 Network Access Control

ID: 0806.01m2Organizational.12356-01.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.1
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Manual, Disabled 1.1.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

0808.10b2System.3-10.b 10.02 Correct Processing in Applications

ID: 0808.10b2System.3-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0

0809.01n2Organizational.1234-01.n 01.04 Network Access Control

ID: 0809.01n2Organizational.1234-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

0810.01n2Organizational.5-01.n 01.04 Network Access Control

ID: 0810.01n2Organizational.5-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

08101.09m2Organizational.14-09.m 09.06 Network Security Management

ID: 08101.09m2Organizational.14-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management

ID: 08102.09nCSPOrganizational.1-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

0811.01n2Organizational.6-01.n 01.04 Network Access Control

ID: 0811.01n2Organizational.6-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Determine information protection needs CMA_C1750 - Determine information protection needs Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

0812.01n2Organizational.8-01.n 01.04 Network Access Control

ID: 0812.01n2Organizational.8-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

0814.01n1Organizational.12-01.n 01.04 Network Access Control

ID: 0814.01n1Organizational.12-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

0815.01o2Organizational.123-01.o 01.04 Network Access Control

ID: 0815.01o2Organizational.123-01.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

0816.01w1System.1-01.w 01.06 Application and Information Access Control

ID: 0816.01w1System.1-01.w Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Distribute information system documentation CMA_C1584 - Distribute information system documentation Manual, Disabled 1.1.0
Document customer-defined actions CMA_C1582 - Document customer-defined actions Manual, Disabled 1.1.0
Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Manual, Disabled 1.1.0
Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Manual, Disabled 1.1.0
Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Manual, Disabled 1.1.0

0817.01w2System.123-01.w 01.06 Application and Information Access Control

ID: 0817.01w2System.123-01.w Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Ensure system capable of dynamic isolation of resources CMA_C1638 - Ensure system capable of dynamic isolation of resources Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Manual, Disabled 1.1.0
Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

0818.01w3System.12-01.w 01.06 Application and Information Access Control

ID: 0818.01w3System.12-01.w Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Manual, Disabled 1.1.0
Manage availability and capacity CMA_0356 - Manage availability and capacity Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0

0819.09m1Organizational.23-09.m 09.06 Network Security Management

ID: 0819.09m1Organizational.23-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0

0821.09m2Organizational.2-09.m 09.06 Network Security Management

ID: 0821.09m2Organizational.2-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Manual, Disabled 1.1.0

0822.09m2Organizational.4-09.m 09.06 Network Security Management

ID: 0822.09m2Organizational.4-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

0824.09m3Organizational.1-09.m 09.06 Network Security Management

ID: 0824.09m3Organizational.1-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

0825.09m3Organizational.23-09.m 09.06 Network Security Management

ID: 0825.09m3Organizational.23-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

0826.09m3Organizational.45-09.m 09.06 Network Security Management

ID: 0826.09m3Organizational.45-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

0828.09m3Organizational.8-09.m 09.06 Network Security Management

ID: 0828.09m3Organizational.8-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Manual, Disabled 1.1.0

0829.09m3Organizational.911-09.m 09.06 Network Security Management

ID: 0829.09m3Organizational.911-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0

0830.09m3Organizational.1012-09.m 09.06 Network Security Management

ID: 0830.09m3Organizational.1012-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

0832.09m3Organizational.14-09.m 09.06 Network Security Management

ID: 0832.09m3Organizational.14-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

0835.09n1Organizational.1-09.n 09.06 Network Security Management

ID: 0835.09n1Organizational.1-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

0836.09.n2Organizational.1-09.n 09.06 Network Security Management

ID: 0836.09.n2Organizational.1-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

0837.09.n2Organizational.2-09.n 09.06 Network Security Management

ID: 0837.09.n2Organizational.2-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

0850.01o1Organizational.12-01.o 01.04 Network Access Control

ID: 0850.01o1Organizational.12-01.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0

0858.09m1Organizational.4-09.m 09.06 Network Security Management

ID: 0858.09m1Organizational.4-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0859.09m1Organizational.78-09.m 09.06 Network Security Management

ID: 0859.09m1Organizational.78-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

0860.09m1Organizational.9-09.m 09.06 Network Security Management

ID: 0860.09m1Organizational.9-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExists 2.0.1
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0

0861.09m2Organizational.67-09.m 09.06 Network Security Management

ID: 0861.09m2Organizational.67-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.1
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

0862.09m2Organizational.8-09.m 09.06 Network Security Management

ID: 0862.09m2Organizational.8-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0

0863.09m2Organizational.910-09.m 09.06 Network Security Management

ID: 0863.09m2Organizational.910-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0

0864.09m2Organizational.12-09.m 09.06 Network Security Management

ID: 0864.09m2Organizational.12-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Establish voip usage restrictions CMA_0280 - Establish voip usage restrictions Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

0865.09m2Organizational.13-09.m 09.06 Network Security Management

ID: 0865.09m2Organizational.13-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Manual, Disabled 1.1.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

0866.09m3Organizational.1516-09.m 09.06 Network Security Management

ID: 0866.09m3Organizational.1516-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1

0868.09m3Organizational.18-09.m 09.06 Network Security Management

ID: 0868.09m3Organizational.18-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

0869.09m3Organizational.19-09.m 09.06 Network Security Management

ID: 0869.09m3Organizational.19-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0

0870.09m3Organizational.20-09.m 09.06 Network Security Management

ID: 0870.09m3Organizational.20-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

0871.09m3Organizational.22-09.m 09.06 Network Security Management

ID: 0871.09m3Organizational.22-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

0885.09n2Organizational.3-09.n 09.06 Network Security Management

ID: 0885.09n2Organizational.3-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

0886.09n2Organizational.4-09.n 09.06 Network Security Management

ID: 0886.09n2Organizational.4-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Manual, Disabled 1.1.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0

0887.09n2Organizational.5-09.n 09.06 Network Security Management

ID: 0887.09n2Organizational.5-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

0888.09n2Organizational.6-09.n 09.06 Network Security Management

ID: 0888.09n2Organizational.6-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

0894.01m2Organizational.7-01.m 01.04 Network Access Control

ID: 0894.01m2Organizational.7-01.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.1
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Deploy network watcher when virtual networks are created This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExists 1.0.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

Back-up

Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices.

ID: 1699.09l1Organizational.10 - 09.l Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0

Network Controls

Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends).

ID: 0867.09m3Organizational.17 - 09.m Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0

On-line Transactions

The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction.

ID: 0946.09y2Organizational.14 - 09.y Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0

09 Transmission Protection

0901.09s1Organizational.1-09.s 09.08 Exchange of Information

ID: 0901.09s1Organizational.1-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
Categorize information CMA_0052 - Categorize information Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop business classification schemes CMA_0155 - Develop business classification schemes Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

0902.09s2Organizational.13-09.s 09.08 Exchange of Information

ID: 0902.09s2Organizational.13-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Authorize remote access to privileged commands CMA_C1064 - Authorize remote access to privileged commands Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 2.0.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Provide capability to disconnect or disable remote access CMA_C1066 - Provide capability to disconnect or disable remote access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls

ID: 0903.10f1Organizational.1-10.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls

ID: 0904.10f2Organizational.1-10.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

0912.09s1Organizational.4-09.s 09.08 Exchange of Information

ID: 0912.09s1Organizational.4-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

0913.09s1Organizational.5-09.s 09.08 Exchange of Information

ID: 0913.09s1Organizational.5-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

0914.09s1Organizational.6-09.s 09.08 Exchange of Information

ID: 0914.09s1Organizational.6-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0

0915.09s2Organizational.2-09.s 09.08 Exchange of Information

ID: 0915.09s2Organizational.2-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. AuditIfNotExists, Disabled 1.0.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0

0916.09s2Organizational.4-09.s 09.08 Exchange of Information

ID: 0916.09s2Organizational.4-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Manual, Disabled 1.1.1
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

0926.09v1Organizational.2-09.v 09.08 Exchange of Information

ID: 0926.09v1Organizational.2-09.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0

0927.09v1Organizational.3-09.v 09.08 Exchange of Information

ID: 0927.09v1Organizational.3-09.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

0928.09v1Organizational.45-09.v 09.08 Exchange of Information

ID: 0928.09v1Organizational.45-09.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

0929.09v1Organizational.6-09.v 09.08 Exchange of Information

ID: 0929.09v1Organizational.6-09.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0

0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services

ID: 0943.09y1Organizational.1-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Document process to ensure integrity of PII CMA_C1827 - Document process to ensure integrity of PII Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0

0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services

ID: 0944.09y1Organizational.2-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0

0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services

ID: 0945.09y1Organizational.3-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. auditIfNotExists 3.0.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services

ID: 0947.09y2Organizational.2-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Restrict location of information processing, storage and services CMA_C1593 - Restrict location of information processing, storage and services Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0

0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services

ID: 0948.09y2Organizational.3-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Distribute authenticators CMA_0184 - Distribute authenticators Manual, Disabled 1.1.0
Enforce random unique session identifiers CMA_0247 - Enforce random unique session identifiers Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services

ID: 0949.09y2Organizational.5-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Manual, Disabled 1.1.0

0960.09sCSPOrganizational.1-09.s 09.08 Exchange of Information

ID: 0960.09sCSPOrganizational.1-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 2.0.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0

099.09m2Organizational.11-09.m 09.06 Network Security Management

ID: 099.09m2Organizational.11-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

10 Password Management

1002.01d1System.1-01.d 01.02 Authorized Access to Information Systems

ID: 1002.01d1System.1-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

1003.01d1System.3-01.d 01.02 Authorized Access to Information Systems

ID: 1003.01d1System.3-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems

ID: 1004.01d1System.8913-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems

ID: 1005.01d1System.1011-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0

1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems

ID: 1006.01d2System.1-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Generate error messages CMA_C1724 - Generate error messages Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0

1007.01d2System.2-01.d 01.02 Authorized Access to Information Systems

ID: 1007.01d2System.2-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0

1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems

ID: 1008.01d2System.3-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems

ID: 1009.01d2System.4-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0

1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems

ID: 1014.01d1System.12-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems

ID: 1015.01d1System.14-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems

ID: 1022.01d1System.15-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems

ID: 1031.01d1System.34510-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0

11 Access Control

1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems

ID: 1106.01b1System.1-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems

ID: 1107.01b1System.2-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1108.01b1System.3-01.b 01.02 Authorized Access to Information Systems

ID: 1108.01b1System.3-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0

1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems

ID: 1109.01b1System.479-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems

ID: 1110.01b1System.5-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

11109.01q1Organizational.57-01.q 01.05 Operating System Access Control

ID: 11109.01q1Organizational.57-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Assign system identifiers CMA_0018 - Assign system identifiers Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify status of individual users CMA_C1316 - Identify status of individual users Manual, Disabled 1.1.0
Prevent identifier reuse for the defined time period CMA_C1314 - Prevent identifier reuse for the defined time period Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

1111.01b2System.1-01.b 01.02 Authorized Access to Information Systems

ID: 1111.01b2System.1-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0

11111.01q2System.4-01.q 01.05 Operating System Access Control

ID: 11111.01q2System.4-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

11112.01q2Organizational.67-01.q 01.05 Operating System Access Control

ID: 11112.01q2Organizational.67-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems

ID: 1112.01b2System.2-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign an authorizing official (AO) CMA_C1158 - Assign an authorizing official (AO) Manual, Disabled 1.1.0
Distribute authenticators CMA_0184 - Distribute authenticators Manual, Disabled 1.1.0
Ensure resources are authorized CMA_C1159 - Ensure resources are authorized Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0
Update the security authorization CMA_C1160 - Update the security authorization Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

11126.01t1Organizational.12-01.t 01.05 Operating System Access Control

ID: 11126.01t1Organizational.12-01.t Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0

1114.01h1Organizational.123-01.h 01.03 User Responsibilities

ID: 1114.01h1Organizational.123-01.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce the limit of concurrent sessions CMA_C1050 - Define and enforce the limit of concurrent sessions Manual, Disabled 1.1.0
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0

11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment

ID: 11154.02i1Organizational.5-02.i Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment

ID: 11155.02i2Organizational.2-02.i Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

1116.01j1Organizational.145-01.j 01.04 Network Access Control

ID: 1116.01j1Organizational.145-01.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1118.01j2Organizational.124-01.j 01.04 Network Access Control

ID: 1118.01j2Organizational.124-01.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems

ID: 11180.01c3System.6-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0

1119.01j2Organizational.3-01.j 01.04 Network Access Control

ID: 1119.01j2Organizational.3-01.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

11190.01t1Organizational.3-01.t 01.05 Operating System Access Control

ID: 11190.01t1Organizational.3-01.t Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0

1120.09ab3System.9-09.ab 09.10 Monitoring

ID: 1120.09ab3System.9-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 2.0.0

1121.01j3Organizational.2-01.j 01.04 Network Access Control

ID: 1121.01j3Organizational.2-01.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems

ID: 11219.01b1Organizational.10-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1122.01q1System.1-01.q 01.05 Operating System Access Control

ID: 1122.01q1System.1-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept only FICAM-approved third-party credentials CMA_C1348 - Accept only FICAM-approved third-party credentials Manual, Disabled 1.1.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Conform to FICAM-issued profiles CMA_C1350 - Conform to FICAM-issued profiles Manual, Disabled 1.1.0
Employ FICAM-approved resources to accept third-party credentials CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems

ID: 11220.01b1System.10-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0

1123.01q1System.2-01.q 01.05 Operating System Access Control

ID: 1123.01q1System.2-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines that have extra accounts in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. auditIfNotExists 2.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0

1124.01q1System.34-01.q 01.05 Operating System Access Control

ID: 1124.01q1System.34-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0

1125.01q2System.1-01.q 01.05 Operating System Access Control

ID: 1125.01q2System.1-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. auditIfNotExists 2.0.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

1127.01q2System.3-01.q 01.05 Operating System Access Control

ID: 1127.01q2System.3-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. auditIfNotExists 2.0.0
Distribute authenticators CMA_0184 - Distribute authenticators Manual, Disabled 1.1.0

1128.01q2System.5-01.q 01.05 Operating System Access Control

ID: 1128.01q2System.5-01.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0

1129.01v1System.12-01.v 01.06 Application and Information Access Control

ID: 1129.01v1System.12-01.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

1130.01v2System.1-01.v 01.06 Application and Information Access Control

ID: 1130.01v2System.1-01.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0

1131.01v2System.2-01.v 01.06 Application and Information Access Control

ID: 1131.01v2System.2-01.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0

1132.01v2System.3-01.v 01.06 Application and Information Access Control

ID: 1132.01v2System.3-01.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

1133.01v2System.4-01.v 01.06 Application and Information Access Control

ID: 1133.01v2System.4-01.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0

1134.01v3System.1-01.v 01.06 Application and Information Access Control

ID: 1134.01v3System.1-01.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment

ID: 1135.02i1Organizational.1234-02.i Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0

1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment

ID: 1136.02i2Organizational.1-02.i Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Disable user accounts posing a significant risk CMA_C1026 - Disable user accounts posing a significant risk Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

ID: 1137.06e1Organizational.1-06.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems

ID: 1139.01b1System.68-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0

1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems

ID: 1143.01c1System.123-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0

1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems

ID: 1144.01c1System.4-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0

1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems

ID: 1145.01c2System.1-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems

ID: 1146.01c2System.23-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0

1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems

ID: 1147.01c2System.456-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0

1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems

ID: 1148.01c2System.78-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems

ID: 1150.01c2System.10-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0

1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems

ID: 1151.01c3System.1-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems

ID: 1152.01c3System.2-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

1153.01c3System.35-01.c 01.02 Authorized Access to Information Systems

ID: 1153.01c3System.35-01.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.4

1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems

ID: 1166.01e1System.12-01.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0

1167.01e2System.1-01.e 01.02 Authorized Access to Information Systems

ID: 1167.01e2System.1-01.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign system identifiers CMA_0018 - Assign system identifiers Manual, Disabled 1.1.0
Identify status of individual users CMA_C1316 - Identify status of individual users Manual, Disabled 1.1.0

1168.01e2System.2-01.e 01.02 Authorized Access to Information Systems

ID: 1168.01e2System.2-01.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0

1175.01j1Organizational.8-01.j 01.04 Network Access Control

ID: 1175.01j1Organizational.8-01.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

1178.01j2Organizational.7-01.j 01.04 Network Access Control

ID: 1178.01j2Organizational.7-01.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Require use of individual authenticators CMA_C1305 - Require use of individual authenticators Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

1179.01j3Organizational.1-01.j 01.04 Network Access Control

ID: 1179.01j3Organizational.1-01.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0

1192.01l1Organizational.1-01.l 01.04 Network Access Control

ID: 1192.01l1Organizational.1-01.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0

1193.01l2Organizational.13-01.l 01.04 Network Access Control

ID: 1193.01l2Organizational.13-01.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0

1194.01l2Organizational.2-01.l 01.04 Network Access Control

ID: 1194.01l2Organizational.2-01.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0

1195.01l3Organizational.1-01.l 01.04 Network Access Control

ID: 1195.01l3Organizational.1-01.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0

12 Audit Logging & Monitoring

ID: 1201.06e1Organizational.2-06.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1202.09aa1System.1-09.aa 09.10 Monitoring

ID: 1202.09aa1System.1-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Manual, Disabled 1.1.0

1203.09aa1System.2-09.aa 09.10 Monitoring

ID: 1203.09aa1System.2-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.1.0

1204.09aa1System.3-09.aa 09.10 Monitoring

ID: 1204.09aa1System.3-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.1.0

1205.09aa2System.1-09.aa 09.10 Monitoring

ID: 1205.09aa2System.1-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Ensure audit records are not altered CMA_C1125 - Ensure audit records are not altered Manual, Disabled 1.1.0
Provide audit review, analysis, and reporting capability CMA_C1124 - Provide audit review, analysis, and reporting capability Manual, Disabled 1.1.0
Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Manual, Disabled 1.1.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

1206.09aa2System.23-09.aa 09.10 Monitoring

ID: 1206.09aa2System.23-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Prohibit binary/machine-executable code CMA_C1717 - Prohibit binary/machine-executable code Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

1207.09aa2System.4-09.aa 09.10 Monitoring

ID: 1207.09aa2System.4-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

1208.09aa3System.1-09.aa 09.10 Monitoring

ID: 1208.09aa3System.1-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

1209.09aa3System.2-09.aa 09.10 Monitoring

ID: 1209.09aa3System.2-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0

1210.09aa3System.3-09.aa 09.10 Monitoring

ID: 1210.09aa3System.3-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Use system clocks for audit records CMA_0535 - Use system clocks for audit records Manual, Disabled 1.1.0

12100.09ab2System.15-09.ab 09.10 Monitoring

ID: 12100.09ab2System.15-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Virtual machines should have the Log Analytics extension installed This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1

12101.09ab1Organizational.3-09.ab 09.10 Monitoring

ID: 12101.09ab1Organizational.3-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adjust level of audit review, analysis, and reporting CMA_C1123 - Adjust level of audit review, analysis, and reporting Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Specify permitted actions associated with customer audit information CMA_C1122 - Specify permitted actions associated with customer audit information Manual, Disabled 1.1.0
The Log Analytics extension should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

12102.09ab1Organizational.4-09.ab 09.10 Monitoring

ID: 12102.09ab1Organizational.4-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. auditIfNotExists 2.0.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

12103.09ab1Organizational.5-09.ab 09.10 Monitoring

ID: 12103.09ab1Organizational.5-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

1211.09aa3System.4-09.aa 09.10 Monitoring

ID: 1211.09aa3System.4-09.aa Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. AuditIfNotExists, Disabled 1.1.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

1212.09ab1System.1-09.ab 09.10 Monitoring

ID: 1212.09ab1System.1-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0

1213.09ab2System.128-09.ab 09.10 Monitoring

ID: 1213.09ab2System.128-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

1214.09ab2System.3456-09.ab 09.10 Monitoring

ID: 1214.09ab2System.3456-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 2.0.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

1215.09ab2System.7-09.ab 09.10 Monitoring

ID: 1215.09ab2System.7-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure audit records are not altered CMA_C1125 - Ensure audit records are not altered Manual, Disabled 1.1.0
Provide audit review, analysis, and reporting capability CMA_C1124 - Provide audit review, analysis, and reporting capability Manual, Disabled 1.1.0
Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Manual, Disabled 1.1.0
Virtual machines should have the Log Analytics extension installed This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1

1216.09ab3System.12-09.ab 09.10 Monitoring

ID: 1216.09ab3System.12-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
The Log Analytics extension should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0

1217.09ab3System.3-09.ab 09.10 Monitoring

ID: 1217.09ab3System.3-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. auditIfNotExists 2.0.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

1218.09ab3System.47-09.ab 09.10 Monitoring

ID: 1218.09ab3System.47-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0

1219.09ab3System.10-09.ab 09.10 Monitoring

ID: 1219.09ab3System.10-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0
Ensure audit records are not altered CMA_C1125 - Ensure audit records are not altered Manual, Disabled 1.1.0
Provide audit review, analysis, and reporting capability CMA_C1124 - Provide audit review, analysis, and reporting capability Manual, Disabled 1.1.0
Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Manual, Disabled 1.1.0

1220.09ab3System.56-09.ab 09.10 Monitoring

ID: 1220.09ab3System.56-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

1222.09ab3System.8-09.ab 09.10 Monitoring

ID: 1222.09ab3System.8-09.ab Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Generate internal security alerts CMA_C1704 - Generate internal security alerts Manual, Disabled 1.1.0
Implement security directives CMA_C1706 - Implement security directives Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures

ID: 1229.09c1Organizational.1-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.4
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures

ID: 1230.09c2Organizational.1-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures

ID: 1231.09c2Organizational.23-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures

ID: 1232.09c3Organizational.12-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0
Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures

ID: 1233.09c3Organizational.3-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1270.09ad1System.12-09.ad 09.10 Monitoring

ID: 1270.09ad1System.12-09.ad Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

1271.09ad1System.1-09.ad 09.10 Monitoring

ID: 1271.09ad1System.1-09.ad Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1271.09ad2System.1 09.10 Monitoring

ID: 1271.09ad2System.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures

ID: 1276.09c2Organizational.2-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures

ID: 1277.09c2Organizational.4-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0
Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures

ID: 1278.09c2Organizational.56-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures

ID: 1279.09c3Organizational.4-09.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

13 Education, Training and Awareness

1301.02e1Organizational.12-02.e 02.03 During Employment

ID: 1301.02e1Organizational.12-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1302.02e2Organizational.134-02.e 02.03 During Employment

ID: 1302.02e2Organizational.134-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Implement a threat awareness program CMA_C1758 - Implement a threat awareness program Manual, Disabled 1.1.0
Implement an insider threat program CMA_C1751 - Implement an insider threat program Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1303.02e2Organizational.2-02.e 02.03 During Employment

ID: 1303.02e2Organizational.2-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1304.02e3Organizational.1-02.e 02.03 During Employment

ID: 1304.02e3Organizational.1-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Require developers to provide training CMA_C1611 - Require developers to provide training Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0

1305.02e3Organizational.23-02.e 02.03 During Employment

ID: 1305.02e3Organizational.23-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0

ID: 1306.06e1Organizational.5-06.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets

ID: 1307.07c1Organizational.124-07.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 1308.09j1Organizational.5-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking

ID: 1309.01x1System.36-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking

ID: 1310.01y1Organizational.9-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1311.12c2Organizational.3-12.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0

1313.02e1Organizational.3-02.e 02.03 During Employment

ID: 1313.02e1Organizational.3-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0

1314.02e2Organizational.5-02.e 02.03 During Employment

ID: 1314.02e2Organizational.5-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0

1315.02e2Organizational.67-02.e 02.03 During Employment

ID: 1315.02e2Organizational.67-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0

1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets

ID: 1324.07c1Organizational.3-07.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1325.09s1Organizational.3-09.s 09.08 Exchange of Information

ID: 1325.09s1Organizational.3-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

1327.02e2Organizational.8-02.e 02.03 During Employment

ID: 1327.02e2Organizational.8-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

1331.02e3Organizational.4-02.e 02.03 During Employment

ID: 1331.02e3Organizational.4-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1334.02e2Organizational.12-02.e 02.03 During Employment

ID: 1334.02e2Organizational.12-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

1336.02e1Organizational.5-02.e 02.03 During Employment

ID: 1336.02e1Organizational.5-02.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Manual, Disabled 1.1.0
Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

14 Third Party Assurance

1404.05i2Organizational.1-05.i 05.02 External Parties

ID: 1404.05i2Organizational.1-05.i Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0

1406.05k1Organizational.110-05.k 05.02 External Parties

ID: 1406.05k1Organizational.110-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

1407.05k2Organizational.1-05.k 05.02 External Parties

ID: 1407.05k2Organizational.1-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery

ID: 1408.09e1System.1-09.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery

ID: 1409.09e2System.1-09.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery

ID: 1410.09e2System.23-09.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery

ID: 1411.09f1System.1-09.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes

ID: 1416.10l1Organizational.1-10.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes

ID: 1417.10l2Organizational.1-10.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0

1419.05j1Organizational.12-05.j 05.02 External Parties

ID: 1419.05j1Organizational.12-05.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

1421.05j2Organizational.12-05.j 05.02 External Parties

ID: 1421.05j2Organizational.12-05.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

1422.05j2Organizational.3-05.j 05.02 External Parties

ID: 1422.05j2Organizational.3-05.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Obtain approvals for acquisitions and outsourcing CMA_C1590 - Obtain approvals for acquisitions and outsourcing Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

1423.05j2Organizational.4-05.j 05.02 External Parties

ID: 1423.05j2Organizational.4-05.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

1424.05j2Organizational.5-05.j 05.02 External Parties

ID: 1424.05j2Organizational.5-05.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept only FICAM-approved third-party credentials CMA_C1348 - Accept only FICAM-approved third-party credentials Manual, Disabled 1.1.0
Accept PIV credentials CMA_C1347 - Accept PIV credentials Manual, Disabled 1.1.0
Conform to FICAM-issued profiles CMA_C1350 - Conform to FICAM-issued profiles Manual, Disabled 1.1.0
Employ FICAM-approved resources to accept third-party credentials CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

1429.05k1Organizational.34-05.k 05.02 External Parties

ID: 1429.05k1Organizational.34-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

1430.05k1Organizational.56-05.k 05.02 External Parties

ID: 1430.05k1Organizational.56-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

1431.05k1Organizational.7-05.k 05.02 External Parties

ID: 1431.05k1Organizational.7-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

1432.05k1Organizational.89-05.k 05.02 External Parties

ID: 1432.05k1Organizational.89-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish privacy requirements for contractors and service providers CMA_C1810 - Establish privacy requirements for contractors and service providers Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery

ID: 1438.09e2System.4-09.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

1450.05i2Organizational.2-05.i 05.02 External Parties

ID: 1450.05i2Organizational.2-05.i Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Identify incident response personnel CMA_0301 - Identify incident response personnel Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

1451.05iCSPOrganizational.2-05.i 05.02 External Parties

ID: 1451.05iCSPOrganizational.2-05.i Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

1452.05kCSPOrganizational.1-05.k 05.02 External Parties

ID: 1452.05kCSPOrganizational.1-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

1453.05kCSPOrganizational.2-05.k 05.02 External Parties

ID: 1453.05kCSPOrganizational.2-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

1454.05kCSPOrganizational.3-05.k 05.02 External Parties

ID: 1454.05kCSPOrganizational.3-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

1455.05kCSPOrganizational.4-05.k 05.02 External Parties

ID: 1455.05kCSPOrganizational.4-05.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery

ID: 1464.09e2Organizational.5-09.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Manual, Disabled 1.1.1

15 Incident Management

1501.02f1Organizational.123-02.f 02.03 During Employment

ID: 1501.02f1Organizational.123-02.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1503.02f2Organizational.12-02.f 02.03 During Employment

ID: 1503.02f2Organizational.12-02.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

ID: 1504.06e1Organizational.34-06.e Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1505.11a1Organizational.13-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Manual, Disabled 1.1.0
Identify incident response personnel CMA_0301 - Identify incident response personnel Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1506.11a1Organizational.2-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1507.11a1Organizational.4-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1507.11a1Organizational.4-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement an insider threat program CMA_C1751 - Implement an insider threat program Manual, Disabled 1.1.0
Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0

1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1508.11a2Organizational.1-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1509.11a2Organizational.236-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1510.11a2Organizational.47-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1511.11a2Organizational.5-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1512.11a2Organizational.8-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0

1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1515.11a3Organizational.3-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1516.11c1Organizational.12-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1517.11c1Organizational.3-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0

1518.11c2Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1518.11c2Organizational.13-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0

1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1519.11c2Organizational.2-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate Audit record analysis CMA_C1120 - Integrate Audit record analysis Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1520.11c2Organizational.4-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1521.11c2Organizational.56-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Manual, Disabled 1.1.0
Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1522.11c3Organizational.13-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1523.11c3Organizational.24-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1523.11c3Organizational.24-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Manual, Disabled 1.1.0
Identify incident response personnel CMA_0301 - Identify incident response personnel Manual, Disabled 1.1.0
Use automated mechanisms for security alerts CMA_C1707 - Use automated mechanisms for security alerts Manual, Disabled 1.1.0

1524.11a1Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1524.11a1Organizational.5-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate with external organizations to achieve cross org perspective CMA_C1368 - Coordinate with external organizations to achieve cross org perspective Manual, Disabled 1.1.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0

1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1525.11a1Organizational.6-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Implement an insider threat program CMA_C1751 - Implement an insider threat program Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0

1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements

ID: 1560.11d1Organizational.1-11.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements

ID: 1561.11d2Organizational.14-11.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements

ID: 1562.11d2Organizational.2-11.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address information security issues CMA_C1742 - Address information security issues Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements

ID: 1563.11d2Organizational.3-11.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1577.11aCSPOrganizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1577.11aCSPOrganizational.1-11.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Identify incident response personnel CMA_0301 - Identify incident response personnel Manual, Disabled 1.1.0

1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1587.11c2Organizational.10-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1589.11c1Organizational.5-11.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

16 Business Continuity & Disaster Recovery

1601.12c1Organizational.1238-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1601.12c1Organizational.1238-12.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Test the business continuity and disaster recovery plan CMA_0509 - Test the business continuity and disaster recovery plan Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

1602.12c1Organizational.4567-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1602.12c1Organizational.4567-12.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct capacity planning CMA_C1252 - Conduct capacity planning Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0

1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1603.12c1Organizational.9-12.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0

1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1604.12c2Organizational.16789-12.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Establish alternate storage site that facilitates recovery operations CMA_C1270 - Establish alternate storage site that facilitates recovery operations Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0

1607.12c2Organizational.4-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1607.12c2Organizational.4-12.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0

1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1608.12c2Organizational.5-12.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0

1609.12c3Organizational.12-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1609.12c3Organizational.12-12.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0

1616.09l1Organizational.16-09.l 09.05 Information Back-Up

ID: 1616.09l1Organizational.16-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0

1617.09l1Organizational.23-09.l 09.05 Information Back-Up

ID: 1617.09l1Organizational.23-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1

1618.09l1Organizational.45-09.l 09.05 Information Back-Up

ID: 1618.09l1Organizational.45-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Establish alternate storage site that facilitates recovery operations CMA_C1270 - Establish alternate storage site that facilitates recovery operations Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0

1619.09l1Organizational.7-09.l 09.05 Information Back-Up

ID: 1619.09l1Organizational.7-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1

1620.09l1Organizational.8-09.l 09.05 Information Back-Up

ID: 1620.09l1Organizational.8-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0

1621.09l2Organizational.1-09.l 09.05 Information Back-Up

ID: 1621.09l2Organizational.1-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

1622.09l2Organizational.23-09.l 09.05 Information Back-Up

ID: 1622.09l2Organizational.23-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0

1623.09l2Organizational.4-09.l 09.05 Information Back-Up

ID: 1623.09l2Organizational.4-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1

1624.09l3Organizational.12-09.l 09.05 Information Back-Up

ID: 1624.09l3Organizational.12-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1

1625.09l3Organizational.34-09.l 09.05 Information Back-Up

ID: 1625.09l3Organizational.34-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0

1626.09l3Organizational.5-09.l 09.05 Information Back-Up

ID: 1626.09l3Organizational.5-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1

1627.09l3Organizational.6-09.l 09.05 Information Back-Up

ID: 1627.09l3Organizational.6-09.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0

1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1634.12b1Organizational.1-12.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0

1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1635.12b1Organizational.2-12.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Key Vault Managed HSM should have purge protection enabled Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. Audit, Deny, Disabled 1.0.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Audit, Deny, Disabled 2.1.0
Perform a business impact assessment and application criticality assessment CMA_0386 - Perform a business impact assessment and application criticality assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0

1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1636.12b2Organizational.1-12.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Perform a business impact assessment and application criticality assessment CMA_0386 - Perform a business impact assessment and application criticality assessment Manual, Disabled 1.1.0

1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1637.12b2Organizational.2-12.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0
Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1638.12b2Organizational.345-12.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Conduct capacity planning CMA_C1252 - Conduct capacity planning Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0

1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1666.12d1Organizational.1235-12.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0

1667.12d1Organizational.4-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1667.12d1Organizational.4-12.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1668.12d1Organizational.67-12.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0

1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1669.12d1Organizational.8-12.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Perform a business impact assessment and application criticality assessment CMA_0386 - Perform a business impact assessment and application criticality assessment Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Test the business continuity and disaster recovery plan CMA_0509 - Test the business continuity and disaster recovery plan Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

1670.12d2Organizational.1-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1670.12d2Organizational.1-12.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0

1671.12d2Organizational.2-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1671.12d2Organizational.2-12.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1672.12d2Organizational.3-12.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

17 Risk Management

1704.03b1Organizational.12-03.b 03.01 Risk Management Program

ID: 1704.03b1Organizational.12-03.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0

1705.03b2Organizational.12-03.b 03.01 Risk Management Program

ID: 1705.03b2Organizational.12-03.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0

1707.03c1Organizational.12-03.c 03.01 Risk Management Program

ID: 1707.03c1Organizational.12-03.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0

1708.03c2Organizational.12-03.c 03.01 Risk Management Program

ID: 1708.03c2Organizational.12-03.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

17100.10a3Organizational.5 10.01 Security Requirements of Information Systems

ID: 17100.10a3Organizational.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems

ID: 17101.10a3Organizational.6-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Manual, Disabled 1.1.1
Obtain functional properties of security controls CMA_C1575 - Obtain functional properties of security controls Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems

ID: 17120.10a3Organizational.5-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Obtain approvals for acquisitions and outsourcing CMA_C1590 - Obtain approvals for acquisitions and outsourcing Manual, Disabled 1.1.0

17126.03c1System.6-03.c 03.01 Risk Management Program

ID: 17126.03c1System.6-03.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Manual, Disabled 1.1.0

1713.03c1Organizational.3-03.c 03.01 Risk Management Program

ID: 1713.03c1Organizational.3-03.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define the duties of processors CMA_0127 - Define the duties of processors Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Evaluate and review PII holdings regularly CMA_C1832 - Evaluate and review PII holdings regularly Manual, Disabled 1.1.0
Issue guidelines for ensuring data quality and integrity CMA_C1824 - Issue guidelines for ensuring data quality and integrity Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Manual, Disabled 1.1.0
Train staff on PII sharing and its consequences CMA_C1871 - Train staff on PII sharing and its consequences Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

1733.03d1Organizational.1-03.d 03.01 Risk Management Program

ID: 1733.03d1Organizational.1-03.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0

1734.03d2Organizational.1-03.d 03.01 Risk Management Program

ID: 1734.03d2Organizational.1-03.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

1735.03d2Organizational.23-03.d 03.01 Risk Management Program

ID: 1735.03d2Organizational.23-03.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

1736.03d2Organizational.4-03.d 03.01 Risk Management Program

ID: 1736.03d2Organizational.4-03.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0

1737.03d2Organizational.5-03.d 03.01 Risk Management Program

ID: 1737.03d2Organizational.5-03.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0

1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems

ID: 1780.10a1Organizational.1-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0

1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems

ID: 1781.10a1Organizational.23-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0

1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems

ID: 1782.10a1Organizational.4-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0

1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems

ID: 1783.10a1Organizational.56-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

1784.10a1Organizational.7-10.a 10.01 Security Requirements of Information Systems

ID: 1784.10a1Organizational.7-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ FIPS 201-approved technology for PIV CMA_C1579 - Employ FIPS 201-approved technology for PIV Manual, Disabled 1.1.0

1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems

ID: 1785.10a1Organizational.8-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Manual, Disabled 1.1.0
Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems

ID: 1786.10a1Organizational.9-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Manual, Disabled 1.1.0

1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems

ID: 1787.10a2Organizational.1-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate privacy controls CMA_C1817 - Automate privacy controls Manual, Disabled 1.1.0
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Information security and personal data protection CMA_0332 - Information security and personal data protection Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0

1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems

ID: 1788.10a2Organizational.2-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems

ID: 1789.10a2Organizational.3-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0

1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems

ID: 1790.10a2Organizational.45-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0

1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems

ID: 1791.10a2Organizational.6-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate flaw remediation CMA_0027 - Automate flaw remediation Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems

ID: 1792.10a2Organizational.7814-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0

1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems

ID: 1793.10a2Organizational.91011-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0

1794.10a2Organizational.12-10.a 10.01 Security Requirements of Information Systems

ID: 1794.10a2Organizational.12-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0

1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems

ID: 1795.10a2Organizational.13-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0

1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems

ID: 1796.10a2Organizational.15-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept assessment results CMA_C1150 - Accept assessment results Manual, Disabled 1.1.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0

1797.10a3Organizational.1-10.a 10.01 Security Requirements of Information Systems

ID: 1797.10a3Organizational.1-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop an enterprise architecture CMA_C1741 - Develop an enterprise architecture Manual, Disabled 1.1.0
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0
Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Manual, Disabled 1.1.0
Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Manual, Disabled 1.1.0

1798.10a3Organizational.2-10.a 10.01 Security Requirements of Information Systems

ID: 1798.10a3Organizational.2-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop an enterprise architecture CMA_C1741 - Develop an enterprise architecture Manual, Disabled 1.1.0
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0

1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems

ID: 1799.10a3Organizational.34-10.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop an enterprise architecture CMA_C1741 - Develop an enterprise architecture Manual, Disabled 1.1.0
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0
Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Manual, Disabled 1.1.0
Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0

18 Physical & Environmental Security

1801.08b1Organizational.124-08.b 08.01 Secure Areas

ID: 1801.08b1Organizational.124-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0

1802.08b1Organizational.3-08.b 08.01 Secure Areas

ID: 1802.08b1Organizational.3-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

1803.08b1Organizational.5-08.b 08.01 Secure Areas

ID: 1803.08b1Organizational.5-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Manual, Disabled 1.1.0

1804.08b2Organizational.12-08.b 08.01 Secure Areas

ID: 1804.08b2Organizational.12-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

1805.08b2Organizational.3-08.b 08.01 Secure Areas

ID: 1805.08b2Organizational.3-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

1806.08b2Organizational.4-08.b 08.01 Secure Areas

ID: 1806.08b2Organizational.4-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

1807.08b2Organizational.56-08.b 08.01 Secure Areas

ID: 1807.08b2Organizational.56-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

1808.08b2Organizational.7-08.b 08.01 Secure Areas

ID: 1808.08b2Organizational.7-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

1810.08b3Organizational.2-08.b 08.01 Secure Areas

ID: 1810.08b3Organizational.2-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

18108.08j1Organizational.1-08.j 08.02 Equipment Security

ID: 18108.08j1Organizational.1-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0

18109.08j1Organizational.4-08.j 08.02 Equipment Security

ID: 18109.08j1Organizational.4-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Manual, Disabled 1.1.0
Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Manual, Disabled 1.1.0

1811.08b3Organizational.3-08.b 08.01 Secure Areas

ID: 1811.08b3Organizational.3-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

18110.08j1Organizational.5-08.j 08.02 Equipment Security

ID: 18110.08j1Organizational.5-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Implement cryptographic mechanisms CMA_C1419 - Implement cryptographic mechanisms Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Perform all non-local maintenance CMA_C1417 - Perform all non-local maintenance Manual, Disabled 1.1.0

18111.08j1Organizational.6-08.j 08.02 Equipment Security

ID: 18111.08j1Organizational.6-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide timely maintenance support CMA_C1425 - Provide timely maintenance support Manual, Disabled 1.1.0

18112.08j3Organizational.4-08.j 08.02 Equipment Security

ID: 18112.08j3Organizational.4-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0

1812.08b3Organizational.46-08.b 08.01 Secure Areas

ID: 1812.08b3Organizational.46-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0

18127.08l1Organizational.3-08.l 08.02 Equipment Security

ID: 18127.08l1Organizational.3-08.l Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0

1813.08b3Organizational.56-08.b 08.01 Secure Areas

ID: 1813.08b3Organizational.56-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0

18130.09p1Organizational.24-09.p 09.07 Media Handling

ID: 18130.09p1Organizational.24-09.p Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0

1814.08d1Organizational.12-08.d 08.01 Secure Areas

ID: 1814.08d1Organizational.12-08.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

18145.08b3Organizational.7-08.b 08.01 Secure Areas

ID: 18145.08b3Organizational.7-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0

18146.08b3Organizational.8-08.b 08.01 Secure Areas

ID: 18146.08b3Organizational.8-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0

1815.08d2Organizational.123-08.d 08.01 Secure Areas

ID: 1815.08d2Organizational.123-08.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1816.08d2Organizational.4-08.d 08.01 Secure Areas

ID: 1816.08d2Organizational.4-08.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

1817.08d3Organizational.12-08.d 08.01 Secure Areas

ID: 1817.08d3Organizational.12-08.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

1818.08d3Organizational.3-08.d 08.01 Secure Areas

ID: 1818.08d3Organizational.3-08.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1819.08j1Organizational.23-08.j 08.02 Equipment Security

ID: 1819.08j1Organizational.23-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Manual, Disabled 1.1.0
Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Manual, Disabled 1.1.0
Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Manual, Disabled 1.1.0

1820.08j2Organizational.1-08.j 08.02 Equipment Security

ID: 1820.08j2Organizational.1-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

1821.08j2Organizational.3-08.j 08.02 Equipment Security

ID: 1821.08j2Organizational.3-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Manual, Disabled 1.1.0

1822.08j2Organizational.2-08.j 08.02 Equipment Security

ID: 1822.08j2Organizational.2-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Manual, Disabled 1.1.0

1823.08j3Organizational.12-08.j 08.02 Equipment Security

ID: 1823.08j3Organizational.12-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

1824.08j3Organizational.3-08.j 08.02 Equipment Security

ID: 1824.08j3Organizational.3-08.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

1826.09p1Organizational.1-09.p 09.07 Media Handling

ID: 1826.09p1Organizational.1-09.p Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

1844.08b1Organizational.6-08.b 08.01 Secure Areas

ID: 1844.08b1Organizational.6-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

1845.08b1Organizational.7-08.b 08.01 Secure Areas

ID: 1845.08b1Organizational.7-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

1846.08b2Organizational.8-08.b 08.01 Secure Areas

ID: 1846.08b2Organizational.8-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

1847.08b2Organizational.910-08.b 08.01 Secure Areas

ID: 1847.08b2Organizational.910-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0

1848.08b2Organizational.11-08.b 08.01 Secure Areas

ID: 1848.08b2Organizational.11-08.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0

1862.08d1Organizational.3-08.d 08.01 Secure Areas

ID: 1862.08d1Organizational.3-08.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

1862.08d3Organizational.3 08.01 Secure Areas

ID: 1862.08d3Organizational.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

1892.01l1Organizational.1 01.04 Network Access Control

ID: 1892.01l1Organizational.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0

19 Data Protection & Privacy

ID: 1901.06d1Organizational.1-06.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Manage compliance activities CMA_0358 - Manage compliance activities Manual, Disabled 1.1.0

ID: 1902.06d1Organizational.2-06.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define the duties of processors CMA_0127 - Define the duties of processors Manual, Disabled 1.1.0
Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Keep accurate accounting of disclosures of information CMA_C1818 - Keep accurate accounting of disclosures of information Manual, Disabled 1.1.0
Make accounting of disclosures available upon request CMA_C1820 - Make accounting of disclosures available upon request Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Retain accounting of disclosures of information CMA_C1819 - Retain accounting of disclosures of information Manual, Disabled 1.1.0
Train staff on PII sharing and its consequences CMA_C1871 - Train staff on PII sharing and its consequences Manual, Disabled 1.1.0

ID: 1903.06d1Organizational.3456711-06.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

ID: 1904.06.d2Organizational.1-06.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

ID: 1906.06.c1Organizational.2-06.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Make SORNs available publicly CMA_C1865 - Make SORNs available publicly Manual, Disabled 1.1.0
Provide formal notice to individuals CMA_C1864 - Provide formal notice to individuals Manual, Disabled 1.1.0
Provide privacy notice to the public and to individuals CMA_C1861 - Provide privacy notice to the public and to individuals Manual, Disabled 1.1.0
Publish SORNs for systems containing PII CMA_C1862 - Publish SORNs for systems containing PII Manual, Disabled 1.1.0

ID: 1907.06.c1Organizational.3-06.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Keep SORNs updated CMA_C1863 - Keep SORNs updated Manual, Disabled 1.1.0
Make SORNs available publicly CMA_C1865 - Make SORNs available publicly Manual, Disabled 1.1.0
Provide formal notice to individuals CMA_C1864 - Provide formal notice to individuals Manual, Disabled 1.1.0
Publish SORNs for systems containing PII CMA_C1862 - Publish SORNs for systems containing PII Manual, Disabled 1.1.0

ID: 1908.06.c1Organizational.4-06.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Keep SORNs updated CMA_C1863 - Keep SORNs updated Manual, Disabled 1.1.0
Make SORNs available publicly CMA_C1865 - Make SORNs available publicly Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Provide formal notice to individuals CMA_C1864 - Provide formal notice to individuals Manual, Disabled 1.1.0
Publish SORNs for systems containing PII CMA_C1862 - Publish SORNs for systems containing PII Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

ID: 1911.06d1Organizational.13-06.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Evaluate and review PII holdings regularly CMA_C1832 - Evaluate and review PII holdings regularly Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Remove or redact any PII CMA_C1833 - Remove or redact any PII Manual, Disabled 1.1.0

19134.05j1Organizational.5-05.j 05.02 External Parties

ID: 19134.05j1Organizational.5-05.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Designate authorized personnel to post publicly accessible information CMA_C1083 - Designate authorized personnel to post publicly accessible information Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Information security and personal data protection CMA_0332 - Information security and personal data protection Manual, Disabled 1.1.0
Manage compliance activities CMA_0358 - Manage compliance activities Manual, Disabled 1.1.0
Review content prior to posting publicly accessible information CMA_C1085 - Review content prior to posting publicly accessible information Manual, Disabled 1.1.0
Review publicly accessible content for nonpublic information CMA_C1086 - Review publicly accessible content for nonpublic information Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

ID: 19141.06c1Organizational.7-06.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

ID: 19142.06c1Organizational.8-06.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

ID: 19143.06c1Organizational.9-06.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Categorize information CMA_0052 - Categorize information Manual, Disabled 1.1.0
Develop business classification schemes CMA_0155 - Develop business classification schemes Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

ID: 19144.06c2Organizational.1-06.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

ID: 19145.06c2Organizational.2-06.c Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

ID: 19242.06d1Organizational.14-06.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Evaluate and review PII holdings regularly CMA_C1832 - Evaluate and review PII holdings regularly Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Remove or redact any PII CMA_C1833 - Remove or redact any PII Manual, Disabled 1.1.0

ID: 19243.06d1Organizational.15-06.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate privacy controls CMA_C1817 - Automate privacy controls Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Evaluate and review PII holdings regularly CMA_C1832 - Evaluate and review PII holdings regularly Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Information security and personal data protection CMA_0332 - Information security and personal data protection Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Remove or redact any PII CMA_C1833 - Remove or redact any PII Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0

ID: 19245.06d2Organizational.2-06.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Confirm quality and integrity of PII CMA_C1821 - Confirm quality and integrity of PII Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Evaluate and review PII holdings regularly CMA_C1832 - Evaluate and review PII holdings regularly Manual, Disabled 1.1.0
Issue guidelines for ensuring data quality and integrity CMA_C1824 - Issue guidelines for ensuring data quality and integrity Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Publish Computer Matching Agreements on public website CMA_C1829 - Publish Computer Matching Agreements on public website Manual, Disabled 1.1.0

Next steps

Additional articles about Azure Policy: