Regulatory Compliance

Shola Lawani 531 Reputation points Microsoft Employee
2020-11-30T19:11:06.88+00:00

hello Expert,

I'm currently looking at the Regulatory Compliance standard with Azure Security Center especially around the NIST SP 800-53 controls and I noticed a lot of the controls have "Microsoft implements this System and Communications Protection control". Does this mean that these assessment can't be automated by Azure Policy and will be driven by manual assessment

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
789 questions
{count} votes

Accepted answer
  1. olufemia-MSFT 2,861 Reputation points
    2020-12-03T12:44:31.913+00:00

    Hello anonymous user - here's the update from my ASC expert.

    The NIST SP 800-53 initiative has a ‘shared responsibility model’ baked in to it., It includes policies that are platform responsibility (all of the “Microsoft Managed Controls”), alongside the customer responsibility policies. However, this info isn’t surfaced in ASC yet (though it will be sooon).
    What we show in the Security Center compliance dashboard is a message for each of the ‘gray’ controls that this control does not have any automated assessments associated with it. That can be because either

    1. We don’t yet have policies that apply to this control,
    2. This can’t be automated by policy and therefore will eventually have a manual assessment associated with it, or
    3. This control is indeed platform responsibility, and we should have “Microsoft Managed Controls” mapped to it
      Important note: We currently dont have microsoft managed controls for all standards yet - only NIST for now.

    Hope this helps but dont hesitate to ping if you have any followup qyestions

    Cheers.

    0 comments No comments

0 additional answers

Sort by: Most helpful