Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the HIPAA HITRUST 9.2 controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the HITRUST/HIPAA Regulatory Compliance built-in initiative definition.

This built-in initiative is deployed as part of the HIPAA HITRUST 9.2 blueprint sample.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Privilege Management

The organization facilitates information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions.

ID: 1149.01c2System.9 - 01.c Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.2

Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply.

ID: 1154.01c3System.4 - 01.c Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0

User Authentication for External Connections

Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use.

ID: 1117.01j1Organizational.23 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1

If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization.

ID: 1173.01j1Organizational.6 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1

The organization protects wireless access to systems containing sensitive information by authenticating both users and devices.

ID: 1174.01j1Organizational.7 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0

The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations.

ID: 1176.01j2Organizational.5 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0

User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually.

ID: 1177.01j2Organizational.6 - 01.j Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1

User Identification and Authentication

Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated.

ID: 11110.01q1Organizational.6 - 01.q Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1

The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else.

ID: 11208.01q1Organizational.8 - 01.q Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.

ID: 11210.01q2Organizational.10 - 01.q Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. auditIfNotExists 2.0.0

Signed electronic records shall contain information associated with the signing in human-readable format.

ID: 11211.01q2Organizational.11 - 01.q Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. auditIfNotExists 2.0.0

01 Information Protection Program

0.01 Information Security Management Program

ID: 0101.00a1Organizational.123-00.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

0.01 Information Security Management Program

ID: 0102.00a2Organizational.123-00.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

0.01 Information Security Management Program

ID: 0103.00a3Organizational.1234567-00.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0

02.01 Prior to Employment

ID: 0104.02a1Organizational.12-02.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

02.01 Prior to Employment

ID: 0105.02a2Organizational.1-02.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign risk designations CMA_0016 - Assign risk designations Manual, Disabled 1.1.0
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0

02.01 Prior to Employment

ID: 0106.02a2Organizational.23-02.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0

02.03 During Employment

ID: 0107.02d1Organizational.1-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0

02.03 During Employment

ID: 0108.02d1Organizational.23-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Implement security testing, training, and monitoring plans CMA_C1753 - Implement security testing, training, and monitoring plans Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Require developers to provide training CMA_C1611 - Require developers to provide training Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Review security testing, training, and monitoring plans CMA_C1754 - Review security testing, training, and monitoring plans Manual, Disabled 1.1.0

02.03 During Employment

ID: 0109.02d1Organizational.4-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

02.03 During Employment

ID: 0110.02d2Organizational.1-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0

02.03 During Employment

ID: 0111.02d2Organizational.2-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 01110.05a1Organizational.5-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 01111.05a2Organizational.5-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0

02.03 During Employment

ID: 0112.02d2Organizational.3-02.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Enforce appropriate usage of all accounts CMA_C1023 - Enforce appropriate usage of all accounts Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Manual, Disabled 1.1.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0

04.01 Information Security Policy

ID: 0113.04a1Organizational.123-04.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

04.01 Information Security Policy

ID: 0114.04b1Organizational.1-04.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

04.01 Information Security Policy

ID: 0115.04b2Organizational.123-04.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

04.01 Information Security Policy

ID: 0116.04b3Organizational.1-04.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0117.05a1Organizational.1-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0118.05a1Organizational.2-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0119.05a1Organizational.3-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0120.05a1Organizational.4-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Manual, Disabled 1.1.0
Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Manual, Disabled 1.1.0
Employ business case to record the resources required CMA_C1735 - Employ business case to record the resources required Manual, Disabled 1.1.0
Ensure capital planning and investment requests include necessary resources CMA_C1734 - Ensure capital planning and investment requests include necessary resources Manual, Disabled 1.1.0
Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0121.05a2Organizational.12-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0122.05a2Organizational.3-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0123.05a2Organizational.4-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0124.05a3Organizational.1-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0125.05a3Organizational.2-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept assessment results CMA_C1150 - Accept assessment results Manual, Disabled 1.1.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0

02.03 During Employment

ID: 0135.02f1Organizational.56-02.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

02.01 Prior to Employment

ID: 0137.02a1Organizational.3-02.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0

04.01 Information Security Policy

ID: 0162.04b1Organizational.2-04.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0165.05a3Organizational.3-05.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0177.05h1Organizational.12-05.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept assessment results CMA_C1150 - Accept assessment results Manual, Disabled 1.1.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0178.05h1Organizational.3-05.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0179.05h1Organizational.4-05.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Implement plans of action and milestones for security program process CMA_C1737 - Implement plans of action and milestones for security program process Manual, Disabled 1.1.0

05.01 Internal Organization

ID: 0180.05h2Organizational.1-05.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0

02 Endpoint Protection

09.04 Protection Against Malicious and Mobile Code

ID: 0201.09j1Organizational.124-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. deployIfNotExists 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, Disabled 1.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 4.0.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0202.09j1Organizational.3-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adjust level of audit review, analysis, and reporting CMA_C1123 - Adjust level of audit review, analysis, and reporting Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Integrate Audit record analysis CMA_C1120 - Integrate Audit record analysis Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Specify permitted actions associated with customer audit information CMA_C1122 - Specify permitted actions associated with customer audit information Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0204.09j2Organizational.1-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Verify security functions CMA_C1708 - Verify security functions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0205.09j2Organizational.2-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0206.09j2Organizational.34-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0207.09j2Organizational.56-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0208.09j2Organizational.7-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0209.09m3Organizational.7-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate information sharing decisions CMA_0028 - Automate information sharing decisions Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Facilitate information sharing CMA_0284 - Facilitate information sharing Manual, Disabled 1.1.0
Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Manual, Disabled 1.1.0
Train staff on PII sharing and its consequences CMA_C1871 - Train staff on PII sharing and its consequences Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0214.09j1Organizational.6-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0215.09j2Organizational.8-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0216.09j2Organizational.9-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0217.09j2Organizational.10-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0219.09j2Organizational.12-09.j Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0225.09k1Organizational.1-09.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0226.09k1Organizational.2-09.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0227.09k2Organizational.12-09.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

09.04 Protection Against Malicious and Mobile Code

ID: 0228.09k2Organizational.3-09.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

03 Portable Media Security

09.07 Media Handling

ID: 0301.09o1Organizational.123-09.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0

09.07 Media Handling

ID: 0302.09o2Organizational.1-09.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison AuditIfNotExists, Disabled 2.0.3

09.07 Media Handling

ID: 0303.09o2Organizational.2-09.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

09.07 Media Handling

ID: 0304.09o3Organizational.1-09.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts deny 1.0.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.0
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.1

09.07 Media Handling

ID: 0305.09q1Organizational.12-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

09.07 Media Handling

ID: 0306.09q1Organizational.3-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate information sharing decisions CMA_0028 - Automate information sharing decisions Manual, Disabled 1.1.0
Ensure authorized users protect provided authenticators CMA_C1339 - Ensure authorized users protect provided authenticators Manual, Disabled 1.1.0
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Facilitate information sharing CMA_0284 - Facilitate information sharing Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0

09.07 Media Handling

ID: 0307.09q2Organizational.12-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0

09.07 Media Handling

ID: 0308.09q3Organizational.1-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

09.07 Media Handling

ID: 0314.09q3Organizational.2-09.q Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

04 Mobile Device Security

01.07 Mobile Computing and Teleworking

ID: 0401.01x1System.124579-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0403.01x1System.8-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0405.01y1Organizational.12345678-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0407.01y2Organizational.1-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0408.01y3Organizational.12-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0409.01y3Organizational.3-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0410.01x1System.12-01.xMobileComputingandCommunications Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0415.01y1Organizational.10-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0416.01y3Organizational.4-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0417.01y3Organizational.5-01.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0425.01x1System.13-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0426.01x2System.1-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0427.01x2System.2-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0428.01x2System.3-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

01.07 Mobile Computing and Teleworking

ID: 0429.01x1System.14-01.x Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations.

ID: 1401.05i1Organizational.1239 - 05.i Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0

Remote access connections between the organization and external parties are encrypted.

ID: 1402.05i1Organizational.45 - 05.i Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0

Access granted to external parties is limited to the minimum necessary and granted only for the duration required.

ID: 1403.05i1Organizational.67 - 05.i Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0

ID: 1418.05i1Organizational.8 - 05.i Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1

05 Wireless Security

09.06 Network Security Management

ID: 0504.09m2Organizational.5-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0505.09m2Organizational.3-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

06 Configuration Management

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0601.06g1Organizational.124-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0602.06g1Organizational.3-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0603.06g2Organizational.1-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0604.06g2Organizational.2-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Analyse data obtained from continuous monitoring CMA_C1169 - Analyse data obtained from continuous monitoring Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors for continuous monitoring CMA_C1168 - Employ independent assessors for continuous monitoring Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

10.04 Security of System Files

ID: 0605.10h1System.12-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0613.06h1Organizational.12-06.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0614.06h2Organizational.12-06.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0615.06h2Organizational.3-06.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

09.01 Documented Operating Procedures

ID: 0618.09b1System.1-09.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

10.04 Security of System Files

ID: 0626.10h1System.3-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

10.04 Security of System Files

ID: 0627.10h1System.45-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

10.04 Security of System Files

ID: 0628.10h1System.6-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

10.05 Security In Development and Support Processes

ID: 0635.10k1Organizational.12-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0636.10k2Organizational.1-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0637.10k2Organizational.2-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0638.10k2Organizational.34569-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0639.10k2Organizational.78-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0640.10k2Organizational.1012-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0641.10k2Organizational.11-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0642.10k3Organizational.12-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0643.10k3Organizational.3-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.05 Security In Development and Support Processes

ID: 0644.10k3Organizational.4-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

09.08 Exchange of Information

ID: 0662.09sCSPOrganizational.2-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 3.0.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

10.04 Security of System Files

ID: 0663.10h1System.7-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

10.04 Security of System Files

ID: 0669.10hCSPSystem.1-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

10.04 Security of System Files

ID: 0670.10hCSPSystem.2-10.h Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

10.05 Security In Development and Support Processes

ID: 0671.10k1System.1-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

10.05 Security In Development and Support Processes

ID: 0672.10k3System.5-10.k Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Prohibit binary/machine-executable code CMA_C1717 - Prohibit binary/machine-executable code Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 068.06g2Organizational.34-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors for continuous monitoring CMA_C1168 - Employ independent assessors for continuous monitoring Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0

06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 069.06g2Organizational.56-06.g Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

07 Vulnerability Management

07.01 Responsibility for Assets

ID: 0701.07a1Organizational.12-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

07.01 Responsibility for Assets

ID: 0702.07a1Organizational.3-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0

07.01 Responsibility for Assets

ID: 0703.07a2Organizational.1-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

07.01 Responsibility for Assets

ID: 0704.07a3Organizational.12-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

07.01 Responsibility for Assets

ID: 0705.07a3Organizational.3-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0

10.02 Correct Processing in Applications

ID: 0706.10b1System.12-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0

10.02 Correct Processing in Applications

ID: 0708.10b2System.2-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

10.06 Technical Vulnerability Management

ID: 0709.10m1Organizational.1-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 2.0.0
Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

10.06 Technical Vulnerability Management

ID: 0710.10m2Organizational.1-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1

10.06 Technical Vulnerability Management

ID: 0711.10m2Organizational.23-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0

10.06 Technical Vulnerability Management

ID: 0712.10m2Organizational.4-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

10.06 Technical Vulnerability Management

ID: 0713.10m2Organizational.5-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate flaw remediation CMA_0027 - Automate flaw remediation Manual, Disabled 1.1.0
Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0

10.06 Technical Vulnerability Management

ID: 0714.10m2Organizational.7-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0

10.06 Technical Vulnerability Management

ID: 0715.10m2Organizational.8-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 3.0.0

10.06 Technical Vulnerability Management

ID: 0716.10m3Organizational.1-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0

10.06 Technical Vulnerability Management

ID: 0717.10m3Organizational.2-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0

10.06 Technical Vulnerability Management

ID: 0718.10m3Organizational.34-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate flaw remediation CMA_0027 - Automate flaw remediation Manual, Disabled 1.1.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0

10.06 Technical Vulnerability Management

ID: 0719.10m3Organizational.5-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1

07.01 Responsibility for Assets

ID: 0720.07a1Organizational.4-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

07.01 Responsibility for Assets

ID: 0722.07a1Organizational.67-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Manual, Disabled 1.1.0
Restrict use of open source software CMA_C1237 - Restrict use of open source software Manual, Disabled 1.1.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0

07.01 Responsibility for Assets

ID: 0723.07a1Organizational.8-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0

07.01 Responsibility for Assets

ID: 0724.07a3Organizational.4-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

07.01 Responsibility for Assets

ID: 0725.07a3Organizational.5-07.a Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

10.02 Correct Processing in Applications

ID: 0733.10b2System.4-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

10.06 Technical Vulnerability Management

ID: 0786.10m2Organizational.13-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0

10.06 Technical Vulnerability Management

ID: 0787.10m2Organizational.14-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate flaw remediation CMA_0027 - Automate flaw remediation Manual, Disabled 1.1.0
Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Manual, Disabled 1.1.0

10.06 Technical Vulnerability Management

ID: 0788.10m3Organizational.20-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0

10.06 Technical Vulnerability Management

ID: 0790.10m3Organizational.22-10.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

10.02 Correct Processing in Applications

ID: 0791.10b2Organizational.4-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

08 Network Protection

01.04 Network Access Control

ID: 0805.01m1Organizational.12-01.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.0
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

01.04 Network Access Control

ID: 0806.01m2Organizational.12356-01.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.0
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Manual, Disabled 1.1.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

10.02 Correct Processing in Applications

ID: 0808.10b2System.3-10.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0

01.04 Network Access Control

ID: 0809.01n2Organizational.1234-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

01.04 Network Access Control

ID: 0810.01n2Organizational.5-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

09.06 Network Security Management

ID: 08101.09m2Organizational.14-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 08102.09nCSPOrganizational.1-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

01.04 Network Access Control

ID: 0811.01n2Organizational.6-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Determine information protection needs CMA_C1750 - Determine information protection needs Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

01.04 Network Access Control

ID: 0812.01n2Organizational.8-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

01.04 Network Access Control

ID: 0814.01n1Organizational.12-01.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

01.04 Network Access Control

ID: 0815.01o2Organizational.123-01.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

01.06 Application and Information Access Control

ID: 0816.01w1System.1-01.w Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Distribute information system documentation CMA_C1584 - Distribute information system documentation Manual, Disabled 1.1.0
Document customer-defined actions CMA_C1582 - Document customer-defined actions Manual, Disabled 1.1.0
Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Manual, Disabled 1.1.0
Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Manual, Disabled 1.1.0
Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Manual, Disabled 1.1.0

01.06 Application and Information Access Control

ID: 0817.01w2System.123-01.w Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Ensure system capable of dynamic isolation of resources CMA_C1638 - Ensure system capable of dynamic isolation of resources Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Manual, Disabled 1.1.0
Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

01.06 Application and Information Access Control

ID: 0818.01w3System.12-01.w Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Manual, Disabled 1.1.0
Manage availability and capacity CMA_0356 - Manage availability and capacity Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0819.09m1Organizational.23-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0821.09m2Organizational.2-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0822.09m2Organizational.4-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0824.09m3Organizational.1-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0825.09m3Organizational.23-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0826.09m3Organizational.45-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0828.09m3Organizational.8-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0829.09m3Organizational.911-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0830.09m3Organizational.1012-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0832.09m3Organizational.14-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0835.09n1Organizational.1-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

09.06 Network Security Management

ID: 0836.09.n2Organizational.1-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0837.09.n2Organizational.2-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

01.04 Network Access Control

ID: 0850.01o1Organizational.12-01.o Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0858.09m1Organizational.4-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

09.06 Network Security Management

ID: 0859.09m1Organizational.78-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0860.09m1Organizational.9-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExists 2.0.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0861.09m2Organizational.67-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

09.06 Network Security Management

ID: 0862.09m2Organizational.8-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0

09.06 Network Security Management

ID: 0863.09m2Organizational.910-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0864.09m2Organizational.12-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Establish voip usage restrictions CMA_0280 - Establish voip usage restrictions Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0865.09m2Organizational.13-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Manual, Disabled 1.1.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0866.09m3Organizational.1516-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1

09.06 Network Security Management

ID: 0868.09m3Organizational.18-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0869.09m3Organizational.19-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0870.09m3Organizational.20-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0871.09m3Organizational.22-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0885.09n2Organizational.3-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0886.09n2Organizational.4-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Manual, Disabled 1.1.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0

09.06 Network Security Management

ID: 0887.09n2Organizational.5-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 0888.09n2Organizational.6-09.n Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

01.04 Network Access Control

ID: 0894.01m2Organizational.7-01.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0-preview
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Cosmos DB should use a virtual network service endpoint This policy audits any Cosmos DB not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Deploy network watcher when virtual networks are created This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. DeployIfNotExists 1.0.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Event Hub should use a virtual network service endpoint This policy audits any Event Hub not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. deny 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Virtual machines should be connected to an approved virtual network This policy audits any virtual machine connected to a virtual network that is not approved. Audit, Deny, Disabled 1.0.0

Back-up

Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices.

ID: 1699.09l1Organizational.10 - 09.l Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0

Network Controls

Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends).

ID: 0867.09m3Organizational.17 - 09.m Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0

On-line Transactions

The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction.

ID: 0946.09y2Organizational.14 - 09.y Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0

09 Transmission Protection

09.08 Exchange of Information

ID: 0901.09s1Organizational.1-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
Categorize information CMA_0052 - Categorize information Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop business classification schemes CMA_0155 - Develop business classification schemes Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0902.09s2Organizational.13-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Authorize remote access to privileged commands CMA_C1064 - Authorize remote access to privileged commands Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 2.0.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Provide capability to disconnect or disable remote access CMA_C1066 - Provide capability to disconnect or disable remote access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

10.03 Cryptographic Controls

ID: 0903.10f1Organizational.1-10.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

10.03 Cryptographic Controls

ID: 0904.10f2Organizational.1-10.f Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0912.09s1Organizational.4-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0913.09s1Organizational.5-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0914.09s1Organizational.6-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0915.09s2Organizational.2-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 3.0.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0916.09s2Organizational.4-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Manual, Disabled 1.1.1
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0926.09v1Organizational.2-09.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0927.09v1Organizational.3-09.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0928.09v1Organizational.45-09.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0929.09v1Organizational.6-09.v Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0

09.09 Electronic Commerce Services

ID: 0943.09y1Organizational.1-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Document process to ensure integrity of PII CMA_C1827 - Document process to ensure integrity of PII Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0

09.09 Electronic Commerce Services

ID: 0944.09y1Organizational.2-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0

09.09 Electronic Commerce Services

ID: 0945.09y1Organizational.3-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. auditIfNotExists 3.0.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

09.09 Electronic Commerce Services

ID: 0947.09y2Organizational.2-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Restrict location of information processing, storage and services CMA_C1593 - Restrict location of information processing, storage and services Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0

09.09 Electronic Commerce Services

ID: 0948.09y2Organizational.3-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Distribute authenticators CMA_0184 - Distribute authenticators Manual, Disabled 1.1.0
Enforce random unique session identifiers CMA_0247 - Enforce random unique session identifiers Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

09.09 Electronic Commerce Services

ID: 0949.09y2Organizational.5-09.y Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Manual, Disabled 1.1.0

09.08 Exchange of Information

ID: 0960.09sCSPOrganizational.1-09.s Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 2.0.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0

09.06 Network Security Management

ID: 099.09m2Organizational.11-09.m Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Control of Operational Software

Applications and operating systems are successfully tested for usability, security and impact prior to production.

ID: 0606.10h2System.1 - 10.h Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 3.0.0

The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation.

ID: 0607.10h2System.23 - 10.h Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0

10 Password Management

01.02 Authorized Access to Information Systems

ID: 1002.01d1System.1-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1003.01d1System.3-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1004.01d1System.8913-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1005.01d1System.1011-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1006.01d2System.1-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Generate error messages CMA_C1724 - Generate error messages Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1007.01d2System.2-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1008.01d2System.3-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1009.01d2System.4-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1014.01d1System.12-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1015.01d1System.14-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1022.01d1System.15-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

01.02 Authorized Access to Information Systems

ID: 1031.01d1System.34510-01.d Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0

11 Access Control

01.02 Authorized Access to Information Systems

ID: 1106.01b1System.1-01.b Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)