Azure Policy Regulatory Compliance controls for Azure Resource Manager
Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Resource Manager. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.
The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.
Important
Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.
Australian Government ISM PROTECTED
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Guidelines for System Hardening - Operating system hardening | 380 | Operating system configuration - 380 | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Guidelines for System Hardening - Operating system hardening | 380 | Operating system configuration - 380 | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 414 | User identification - 414 | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 414 | User identification - 414 | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 414 | User identification - 414 | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 430 | Suspension of access to systems - 430 | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 430 | Suspension of access to systems - 430 | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 441 | Temporary access to systems - 441 | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 441 | Temporary access to systems - 441 | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 441 | Temporary access to systems - 441 | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 441 | Temporary access to systems - 441 | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Guidelines for Media - Media usage | 947 | Using media for data transfers - 947 | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1173 | Multi-factor authentication - 1173 | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1173 | Multi-factor authentication - 1173 | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1384 | Multi-factor authentication - 1384 | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1384 | Multi-factor authentication - 1384 | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1384 | Multi-factor authentication - 1384 | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1503 | Standard access to systems - 1503 | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1503 | Standard access to systems - 1503 | There should be more than one owner assigned to your subscription | 3.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | There should be more than one owner assigned to your subscription | 3.0.0 |
| Guidelines for System Management - Data backup and restoration | 1511 | Performing backups - 1511 | Audit virtual machines without disaster recovery configured | 1.0.0 |
Canada Federal PBMM
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.
CIS Microsoft Azure Foundations Benchmark 1.1.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 1 Identity and Access Management | 1.1 | Ensure that multi-factor authentication is enabled for all privileged users | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.1 | Ensure that multi-factor authentication is enabled for all privileged users | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.1 | Ensure that multi-factor authentication is enabled for all privileged users | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Self-service group management enabled' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Self-service group management enabled' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Self-service group management enabled' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Self-service group management enabled' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Users can create security groups' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Users can create security groups' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Users can create security groups' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Users can create security groups' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Users who can manage security groups' is set to 'None' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Users who can manage security groups' is set to 'None' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Users who can manage security groups' is set to 'None' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Users who can manage security groups' is set to 'None' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Users can create Office 365 groups' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Users can create Office 365 groups' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Users can create Office 365 groups' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Users can create Office 365 groups' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.2 | Ensure that multi-factor authentication is enabled for all non-privileged users | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.2 | Ensure that multi-factor authentication is enabled for all non-privileged users | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Users who can manage Office 365 groups' is set to 'None' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Users who can manage Office 365 groups' is set to 'None' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Users who can manage Office 365 groups' is set to 'None' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Users who can manage Office 365 groups' is set to 'None' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Authorize remote access | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Document mobility training | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Document remote access guidelines | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Identify and authenticate network devices | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Implement controls to secure alternate work sites | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Provide privacy training | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Satisfy token quality requirements | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure that no custom subscription owner roles are created | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure that no custom subscription owner roles are created | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure that no custom subscription owner roles are created | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure that no custom subscription owner roles are created | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure that no custom subscription owner roles are created | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure that no custom subscription owner roles are created | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure that there are no guest users | Audit user account status | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure that there are no guest users | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure that there are no guest users | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure that there are no guest users | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure that there are no guest users | Reassign or remove user privileges as needed | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure that there are no guest users | Review account provisioning logs | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure that there are no guest users | Review user accounts | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure that there are no guest users | Review user privileges | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' | Identify and authenticate network devices | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' | Satisfy token quality requirements | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Implement training for protecting authenticators | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Audit privileged functions | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Implement training for protecting authenticators | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Monitor privileged role assignment | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Restrict access to privileged accounts | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Revoke privileged roles as appropriate | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Use privileged identity management | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Azure Defender for App Service should be enabled | 1.0.3 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Azure Defender for Key Vault should be enabled | 1.0.3 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Azure Defender for servers should be enabled | 1.0.3 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Manage gateways | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Microsoft Defender for Containers should be enabled | 1.0.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Microsoft Defender for Storage should be enabled | 1.0.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that standard pricing tier is selected | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.11 | Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" | Establish a data leakage management procedure | 1.1.0 |
| 2 Security Center | 2.11 | Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" | Implement controls to secure all media | 1.1.0 |
| 2 Security Center | 2.11 | Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" | Protect data in transit using encryption | 1.1.0 |
| 2 Security Center | 2.11 | Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" | Protect special information | 1.1.0 |
| 2 Security Center | 2.12 | Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.14 | Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Audit privileged functions | 1.1.0 |
| 2 Security Center | 2.14 | Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Audit user account status | 1.1.0 |
| 2 Security Center | 2.14 | Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Determine auditable events | 1.1.0 |
| 2 Security Center | 2.14 | Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Review audit data | 1.1.0 |
| 2 Security Center | 2.15 | Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" | Establish a data leakage management procedure | 1.1.0 |
| 2 Security Center | 2.15 | Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" | Implement controls to secure all media | 1.1.0 |
| 2 Security Center | 2.15 | Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" | Protect data in transit using encryption | 1.1.0 |
| 2 Security Center | 2.15 | Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" | Protect special information | 1.1.0 |
| 2 Security Center | 2.16 | Ensure that 'Security contact emails' is set | Subscriptions should have a contact email address for security issues | 1.0.1 |
| 2 Security Center | 2.18 | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Email notification for high severity alerts should be enabled | 1.1.0 |
| 2 Security Center | 2.19 | Ensure that 'Send email also to subscription owners' is set to 'On' | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| 2 Security Center | 2.2 | Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| 2 Security Center | 2.2 | Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' | Document security operations | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' | Turn on sensors for endpoint security solution | 1.1.0 |
| 2 Security Center | 2.3 | Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" | Remediate information system flaws | 1.1.0 |
| 2 Security Center | 2.4 | Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.4 | Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" | Remediate information system flaws | 1.1.0 |
| 2 Security Center | 2.5 | Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.5 | Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Manage gateways | 1.1.0 |
| 2 Security Center | 2.5 | Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.5 | Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.5 | Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.5 | Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.5 | Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.6 | Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" | Establish a data leakage management procedure | 1.1.0 |
| 2 Security Center | 2.6 | Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" | Implement controls to secure all media | 1.1.0 |
| 2 Security Center | 2.6 | Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" | Protect data in transit using encryption | 1.1.0 |
| 2 Security Center | 2.6 | Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" | Protect special information | 1.1.0 |
| 2 Security Center | 2.7 | Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" | Control information flow | 1.1.0 |
| 2 Security Center | 2.7 | Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 2 Security Center | 2.8 | Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" | Control information flow | 1.1.0 |
| 2 Security Center | 2.8 | Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 2 Security Center | 2.9 | Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" | Control information flow | 1.1.0 |
| 2 Security Center | 2.9 | Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Configure workstations to check for digital certificates | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Protect data in transit using encryption | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Protect passwords with encryption | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Define a physical key management process | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Define cryptographic use | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Define organizational requirements for cryptographic key management | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Determine assertion requirements | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Issue public key certificates | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Manage symmetric cryptographic keys | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Restrict access to private keys | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Audit privileged functions | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Audit user account status | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Determine auditable events | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Review audit data | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that shared access signature tokens expire within an hour | Disable authenticators upon termination | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that shared access signature tokens expire within an hour | Revoke privileged roles as appropriate | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that shared access signature tokens expire within an hour | Terminate user session automatically | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that shared access signature tokens are allowed only over https | Configure workstations to check for digital certificates | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that shared access signature tokens are allowed only over https | Protect data in transit using encryption | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that shared access signature tokens are allowed only over https | Protect passwords with encryption | 1.1.0 |
| 3 Storage Accounts | 3.6 | Ensure that 'Public access level' is set to Private for blob containers | Authorize access to security functions and information | 1.1.0 |
| 3 Storage Accounts | 3.6 | Ensure that 'Public access level' is set to Private for blob containers | Authorize and manage access | 1.1.0 |
| 3 Storage Accounts | 3.6 | Ensure that 'Public access level' is set to Private for blob containers | Enforce logical access | 1.1.0 |
| 3 Storage Accounts | 3.6 | Ensure that 'Public access level' is set to Private for blob containers | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 3 Storage Accounts | 3.6 | Ensure that 'Public access level' is set to Private for blob containers | Require approval for account creation | 1.1.0 |
| 3 Storage Accounts | 3.6 | Ensure that 'Public access level' is set to Private for blob containers | Review user groups and applications with access to sensitive data | 1.1.0 |
| 3 Storage Accounts | 3.8 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Control information flow | 1.1.0 |
| 3 Storage Accounts | 3.8 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 3 Storage Accounts | 3.8 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Establish firewall and router configuration standards | 1.1.0 |
| 3 Storage Accounts | 3.8 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Establish network segmentation for card holder data environment | 1.1.0 |
| 3 Storage Accounts | 3.8 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Identify and manage downstream information exchanges | 1.1.0 |
| 4 Database Services | 4.1 | Ensure that 'Auditing' is set to 'On' | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.1 | Ensure that 'Auditing' is set to 'On' | Audit user account status | 1.1.0 |
| 4 Database Services | 4.1 | Ensure that 'Auditing' is set to 'On' | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.1 | Ensure that 'Auditing' is set to 'On' | Review audit data | 1.1.0 |
| 4 Database Services | 4.10 | Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | Establish a data leakage management procedure | 1.1.0 |
| 4 Database Services | 4.10 | Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | Implement controls to secure all media | 1.1.0 |
| 4 Database Services | 4.10 | Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.10 | Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | Protect special information | 1.1.0 |
| 4 Database Services | 4.11 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4 Database Services | 4.11 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.11 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Protect passwords with encryption | 1.1.0 |
| 4 Database Services | 4.12 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.12 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.12 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.12 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.13 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4 Database Services | 4.13 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.13 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Protect passwords with encryption | 1.1.0 |
| 4 Database Services | 4.14 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.14 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.14 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.14 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.15 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.15 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.15 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.15 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.16 | Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.16 | Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.16 | Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.16 | Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.17 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.17 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.17 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.17 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.18 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Adhere to retention periods defined | 1.1.0 |
| 4 Database Services | 4.18 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Govern and monitor audit processing activities | 1.1.0 |
| 4 Database Services | 4.18 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Retain security policies and procedures | 1.1.0 |
| 4 Database Services | 4.18 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Retain terminated user data | 1.1.0 |
| 4 Database Services | 4.19 | Ensure that Azure Active Directory Admin is configured | Automate account management | 1.1.0 |
| 4 Database Services | 4.19 | Ensure that Azure Active Directory Admin is configured | Manage system and admin accounts | 1.1.0 |
| 4 Database Services | 4.19 | Ensure that Azure Active Directory Admin is configured | Monitor access across the organization | 1.1.0 |
| 4 Database Services | 4.19 | Ensure that Azure Active Directory Admin is configured | Notify when account is not needed | 1.1.0 |
| 4 Database Services | 4.2 | Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.2 | Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly | Audit user account status | 1.1.0 |
| 4 Database Services | 4.2 | Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.2 | Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly | Review audit data | 1.1.0 |
| 4 Database Services | 4.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Adhere to retention periods defined | 1.1.0 |
| 4 Database Services | 4.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Govern and monitor audit processing activities | 1.1.0 |
| 4 Database Services | 4.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Retain security policies and procedures | 1.1.0 |
| 4 Database Services | 4.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Retain terminated user data | 1.1.0 |
| 4 Database Services | 4.4 | Ensure that 'Advanced Data Security' on a SQL server is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 4 Database Services | 4.5 | Ensure that 'Threat Detection types' is set to 'All' | Perform a trend analysis on threats | 1.1.0 |
| 4 Database Services | 4.6 | Ensure that 'Send alerts to' is set | Alert personnel of information spillage | 1.1.0 |
| 4 Database Services | 4.6 | Ensure that 'Send alerts to' is set | Develop an incident response plan | 1.1.0 |
| 4 Database Services | 4.6 | Ensure that 'Send alerts to' is set | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 4 Database Services | 4.7 | Ensure that 'Email service and co-administrators' is 'Enabled' | Alert personnel of information spillage | 1.1.0 |
| 4 Database Services | 4.7 | Ensure that 'Email service and co-administrators' is 'Enabled' | Develop an incident response plan | 1.1.0 |
| 4 Database Services | 4.7 | Ensure that 'Email service and co-administrators' is 'Enabled' | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 4 Database Services | 4.8 | Ensure that Azure Active Directory Admin is configured | Automate account management | 1.1.0 |
| 4 Database Services | 4.8 | Ensure that Azure Active Directory Admin is configured | Manage system and admin accounts | 1.1.0 |
| 4 Database Services | 4.8 | Ensure that Azure Active Directory Admin is configured | Monitor access across the organization | 1.1.0 |
| 4 Database Services | 4.8 | Ensure that Azure Active Directory Admin is configured | Notify when account is not needed | 1.1.0 |
| 4 Database Services | 4.9 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Establish a data leakage management procedure | 1.1.0 |
| 4 Database Services | 4.9 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Implement controls to secure all media | 1.1.0 |
| 4 Database Services | 4.9 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.9 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Protect special information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.1 | Ensure that a Log Profile exists | Adhere to retention periods defined | 1.1.0 |
| 5 Logging and Monitoring | 5.1.1 | Ensure that a Log Profile exists | Azure subscriptions should have a log profile for Activity Log | 1.0.0 |
| 5 Logging and Monitoring | 5.1.1 | Ensure that a Log Profile exists | Govern and monitor audit processing activities | 1.1.0 |
| 5 Logging and Monitoring | 5.1.1 | Ensure that a Log Profile exists | Retain security policies and procedures | 1.1.0 |
| 5 Logging and Monitoring | 5.1.1 | Ensure that a Log Profile exists | Retain terminated user data | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure that Activity Log Retention is set 365 days or greater | Activity log should be retained for at least one year | 1.0.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure that Activity Log Retention is set 365 days or greater | Adhere to retention periods defined | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure that Activity Log Retention is set 365 days or greater | Retain security policies and procedures | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure that Activity Log Retention is set 365 days or greater | Retain terminated user data | 1.1.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure audit profile captures all the activities | Adhere to retention periods defined | 1.1.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure audit profile captures all the activities | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | 1.0.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure audit profile captures all the activities | Govern and monitor audit processing activities | 1.1.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure audit profile captures all the activities | Retain security policies and procedures | 1.1.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure audit profile captures all the activities | Retain terminated user data | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the log profile captures activity logs for all regions including global | Adhere to retention periods defined | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the log profile captures activity logs for all regions including global | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the log profile captures activity logs for all regions including global | Govern and monitor audit processing activities | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the log profile captures activity logs for all regions including global | Retain security policies and procedures | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the log profile captures activity logs for all regions including global | Retain terminated user data | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure the storage container storing the activity logs is not publicly accessible | Enable dual or joint authorization | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure the storage container storing the activity logs is not publicly accessible | Protect audit information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.6 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Enable dual or joint authorization | 1.1.0 |
| 5 Logging and Monitoring | 5.1.6 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Maintain integrity of audit system | 1.1.0 |
| 5 Logging and Monitoring | 5.1.6 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Protect audit information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.7 | Ensure that logging for Azure KeyVault is 'Enabled' | Audit privileged functions | 1.1.0 |
| 5 Logging and Monitoring | 5.1.7 | Ensure that logging for Azure KeyVault is 'Enabled' | Audit user account status | 1.1.0 |
| 5 Logging and Monitoring | 5.1.7 | Ensure that logging for Azure KeyVault is 'Enabled' | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.1.7 | Ensure that logging for Azure KeyVault is 'Enabled' | Review audit data | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | An activity log alert should exist for specific Policy operations | 3.0.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Delete Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Delete Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Delete Network Security Group | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Delete Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that activity log alert exists for the Delete Network Security Group Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that Activity Log Alert exists for Create or Update Security Solution | An activity log alert should exist for specific Security operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Delete Security Solution | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Delete Security Solution | An activity log alert should exist for specific Security operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Delete Security Solution | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Delete Security Solution | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Update Security Policy | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Update Security Policy | An activity log alert should exist for specific Security operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Update Security Policy | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Update Security Policy | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 6 Networking | 6.3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Control information flow | 1.1.0 |
| 6 Networking | 6.3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Adhere to retention periods defined | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Retain security policies and procedures | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Retain terminated user data | 1.1.0 |
| 6 Networking | 6.5 | Ensure that Network Watcher is 'Enabled' | Verify security functions | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure that 'OS disk' are encrypted | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure that 'OS disk' are encrypted | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure that 'OS disk' are encrypted | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure that 'OS disk' are encrypted | Protect special information | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'Data disks' are encrypted | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'Data disks' are encrypted | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'Data disks' are encrypted | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'Data disks' are encrypted | Protect special information | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted | Protect special information | 1.1.0 |
| 7 Virtual Machines | 7.5 | Ensure that the latest OS Patches for all Virtual Machines are applied | Remediate information system flaws | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Document security operations | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Manage gateways | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Perform a trend analysis on threats | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Perform vulnerability scans | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Review malware detections report weekly | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Review threat protection status weekly | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Turn on sensors for endpoint security solution | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Update antivirus definitions | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Verify software, firmware and information integrity | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Define a physical key management process | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Define cryptographic use | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Determine assertion requirements | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Issue public key certificates | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Manage symmetric cryptographic keys | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Restrict access to private keys | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Define a physical key management process | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Define cryptographic use | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Determine assertion requirements | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Issue public key certificates | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Manage symmetric cryptographic keys | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Restrict access to private keys | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that Resource Locks are set for mission critical Azure resources | Establish and document change control processes | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure the key vault is recoverable | Maintain availability of information | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Authorize access to security functions and information | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Authorize and manage access | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Enforce logical access | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Require approval for account creation | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Review user groups and applications with access to sensitive data | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | Authenticate to cryptographic module | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | Enforce user uniqueness | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 9 AppService | 9.10 | Ensure that 'HTTP Version' is the latest, if used to run the web app | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Configure workstations to check for digital certificates | 1.1.0 |
| 9 AppService | 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Protect data in transit using encryption | 1.1.0 |
| 9 AppService | 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Protect passwords with encryption | 1.1.0 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | Configure workstations to check for digital certificates | 1.1.0 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | Protect data in transit using encryption | 1.1.0 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | Protect passwords with encryption | 1.1.0 |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | Authenticate to cryptographic module | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Automate account management | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Manage system and admin accounts | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Monitor access across the organization | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Notify when account is not needed | 1.1.0 |
| 9 AppService | 9.6 | Ensure that '.Net Framework' version is the latest, if used as a part of the web app | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.7 | Ensure that 'PHP version' is the latest, if used to run the web app | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.8 | Ensure that 'Python version' is the latest, if used to run the web app | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.9 | Ensure that 'Java version' is the latest, if used to run the web app | Remediate information system flaws | 1.1.0 |
CIS Microsoft Azure Foundations Benchmark 1.3.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 1 Identity and Access Management | 1.1 | Ensure that multi-factor authentication is enabled for all privileged users | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.1 | Ensure that multi-factor authentication is enabled for all privileged users | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.1 | Ensure that multi-factor authentication is enabled for all privileged users | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure that 'Guest user permissions are limited' is set to 'Yes' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Members can invite' is set to 'No' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure that 'Guests can invite' is set to 'No' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Users can create security groups in Azure Portals' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Users can create security groups in Azure Portals' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Users can create security groups in Azure Portals' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Users can create security groups in Azure Portals' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.2 | Ensure that multi-factor authentication is enabled for all non-privileged users | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.2 | Ensure that multi-factor authentication is enabled for all non-privileged users | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Authorize remote access | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Document mobility training | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Document remote access guidelines | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Identify and authenticate network devices | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Implement controls to secure alternate work sites | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Provide privacy training | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' | Satisfy token quality requirements | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure that no custom subscription owner roles are created | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure that no custom subscription owner roles are created | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure that no custom subscription owner roles are created | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure that no custom subscription owner roles are created | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure that no custom subscription owner roles are created | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure that no custom subscription owner roles are created | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Authenticate to cryptographic module | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Authorize remote access | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Document mobility training | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Document remote access guidelines | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Identify and authenticate network devices | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Implement controls to secure alternate work sites | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Provide privacy training | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure Security Defaults is enabled on Azure Active Directory | Satisfy token quality requirements | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure Custom Role is assigned for Administering Resource Locks | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure Custom Role is assigned for Administering Resource Locks | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure Custom Role is assigned for Administering Resource Locks | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.23 | Ensure Custom Role is assigned for Administering Resource Locks | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Audit user account status | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Reassign or remove user privileges as needed | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Review account provisioning logs | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Review user accounts | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Review user privileges | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' | Identify and authenticate network devices | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' | Satisfy token quality requirements | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0" | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Implement training for protecting authenticators | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Audit privileged functions | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Implement training for protecting authenticators | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Monitor privileged role assignment | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Restrict access to privileged accounts | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Revoke privileged roles as appropriate | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' | Use privileged identity management | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Azure Defender for servers should be enabled | 1.0.3 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Manage gateways | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.1 | Ensure that Azure Defender is set to On for Servers | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected | Manage gateways | 1.1.0 |
| 2 Security Center | 2.10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.10 | Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.11 | Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| 2 Security Center | 2.11 | Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' | Document security operations | 1.1.0 |
| 2 Security Center | 2.11 | Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' | Turn on sensors for endpoint security solution | 1.1.0 |
| 2 Security Center | 2.12 | Ensure any of the ASC Default policy setting is not set to "Disabled" | Configure actions for noncompliant devices | 1.1.0 |
| 2 Security Center | 2.12 | Ensure any of the ASC Default policy setting is not set to "Disabled" | Develop and maintain baseline configurations | 1.1.0 |
| 2 Security Center | 2.12 | Ensure any of the ASC Default policy setting is not set to "Disabled" | Enforce security configuration settings | 1.1.0 |
| 2 Security Center | 2.12 | Ensure any of the ASC Default policy setting is not set to "Disabled" | Establish a configuration control board | 1.1.0 |
| 2 Security Center | 2.12 | Ensure any of the ASC Default policy setting is not set to "Disabled" | Establish and document a configuration management plan | 1.1.0 |
| 2 Security Center | 2.12 | Ensure any of the ASC Default policy setting is not set to "Disabled" | Implement an automated configuration management tool | 1.1.0 |
| 2 Security Center | 2.13 | Ensure 'Additional email addresses' is configured with a security contact email | Subscriptions should have a contact email address for security issues | 1.0.1 |
| 2 Security Center | 2.14 | Ensure that 'Notify about alerts with the following severity' is set to 'High' | Email notification for high severity alerts should be enabled | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Azure Defender for App Service should be enabled | 1.0.3 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Manage gateways | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.2 | Ensure that Azure Defender is set to On for App Service | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Manage gateways | 1.1.0 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.3 | Ensure that Azure Defender is set to On for Azure SQL database servers | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Manage gateways | 1.1.0 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.4 | Ensure that Azure Defender is set to On for SQL servers on machines | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Manage gateways | 1.1.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Microsoft Defender for Storage should be enabled | 1.0.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.5 | Ensure that Azure Defender is set to On for Storage | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Manage gateways | 1.1.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Microsoft Defender for Containers should be enabled | 1.0.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.6 | Ensure that Azure Defender is set to On for Kubernetes | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Manage gateways | 1.1.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Microsoft Defender for Containers should be enabled | 1.0.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.7 | Ensure that Azure Defender is set to On for Container Registries | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Azure Defender for Key Vault should be enabled | 1.0.3 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Manage gateways | 1.1.0 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.8 | Ensure that Azure Defender is set to On for Key Vault | Update antivirus definitions | 1.1.0 |
| 2 Security Center | 2.9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Security Center | 2.9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Security Center | 2.9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected | Manage gateways | 1.1.0 |
| 2 Security Center | 2.9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected | Perform a trend analysis on threats | 1.1.0 |
| 2 Security Center | 2.9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected | Perform vulnerability scans | 1.1.0 |
| 2 Security Center | 2.9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected | Review malware detections report weekly | 1.1.0 |
| 2 Security Center | 2.9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected | Review threat protection status weekly | 1.1.0 |
| 2 Security Center | 2.9 | Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected | Update antivirus definitions | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Configure workstations to check for digital certificates | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Protect data in transit using encryption | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Protect passwords with encryption | 1.1.0 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is enabled for Blob service for read, write, and delete requests | Audit privileged functions | 1.1.0 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is enabled for Blob service for read, write, and delete requests | Audit user account status | 1.1.0 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is enabled for Blob service for read, write, and delete requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is enabled for Blob service for read, write, and delete requests | Determine auditable events | 1.1.0 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is enabled for Blob service for read, write, and delete requests | Review audit data | 1.1.0 |
| 3 Storage Accounts | 3.11 | Ensure Storage logging is enabled for Table service for read, write, and delete requests | Audit privileged functions | 1.1.0 |
| 3 Storage Accounts | 3.11 | Ensure Storage logging is enabled for Table service for read, write, and delete requests | Audit user account status | 1.1.0 |
| 3 Storage Accounts | 3.11 | Ensure Storage logging is enabled for Table service for read, write, and delete requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 Storage Accounts | 3.11 | Ensure Storage logging is enabled for Table service for read, write, and delete requests | Determine auditable events | 1.1.0 |
| 3 Storage Accounts | 3.11 | Ensure Storage logging is enabled for Table service for read, write, and delete requests | Review audit data | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Define a physical key management process | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Define cryptographic use | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Define organizational requirements for cryptographic key management | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Determine assertion requirements | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Issue public key certificates | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Manage symmetric cryptographic keys | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure that storage account access keys are periodically regenerated | Restrict access to private keys | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Audit privileged functions | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Audit user account status | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Determine auditable events | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage logging is enabled for Queue service for read, write, and delete requests | Review audit data | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that shared access signature tokens expire within an hour | Disable authenticators upon termination | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that shared access signature tokens expire within an hour | Revoke privileged roles as appropriate | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that shared access signature tokens expire within an hour | Terminate user session automatically | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Authorize access to security functions and information | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Authorize and manage access | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Enforce logical access | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Require approval for account creation | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Review user groups and applications with access to sensitive data | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Control information flow | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Establish firewall and router configuration standards | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Establish network segmentation for card holder data environment | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Identify and manage downstream information exchanges | 1.1.0 |
| 3 Storage Accounts | 3.9 | Ensure storage for critical data are encrypted with Customer Managed Key | Establish a data leakage management procedure | 1.1.0 |
| 3 Storage Accounts | 3.9 | Ensure storage for critical data are encrypted with Customer Managed Key | Implement controls to secure all media | 1.1.0 |
| 3 Storage Accounts | 3.9 | Ensure storage for critical data are encrypted with Customer Managed Key | Protect data in transit using encryption | 1.1.0 |
| 3 Storage Accounts | 3.9 | Ensure storage for critical data are encrypted with Customer Managed Key | Protect special information | 1.1.0 |
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Audit user account status | 1.1.0 |
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Review audit data | 1.1.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Establish a data leakage management procedure | 1.1.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Implement controls to secure all media | 1.1.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Protect special information | 1.1.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Adhere to retention periods defined | 1.1.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Govern and monitor audit processing activities | 1.1.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Retain security policies and procedures | 1.1.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Retain terminated user data | 1.1.0 |
| 4 Database Services | 4.2.1 | Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' | Perform a trend analysis on threats | 1.1.0 |
| 4 Database Services | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Perform vulnerability scans | 1.1.0 |
| 4 Database Services | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Remediate information system flaws | 1.1.0 |
| 4 Database Services | 4.2.3 | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Perform vulnerability scans | 1.1.0 |
| 4 Database Services | 4.2.3 | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Remediate information system flaws | 1.1.0 |
| 4 Database Services | 4.2.4 | Ensure that VA setting Send scan reports to is configured for a SQL server | Correlate Vulnerability scan information | 1.1.1 |
| 4 Database Services | 4.2.4 | Ensure that VA setting Send scan reports to is configured for a SQL server | Perform vulnerability scans | 1.1.0 |
| 4 Database Services | 4.2.4 | Ensure that VA setting Send scan reports to is configured for a SQL server | Remediate information system flaws | 1.1.0 |
| 4 Database Services | 4.2.5 | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Correlate Vulnerability scan information | 1.1.1 |
| 4 Database Services | 4.2.5 | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Perform vulnerability scans | 1.1.0 |
| 4 Database Services | 4.2.5 | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Remediate information system flaws | 1.1.0 |
| 4 Database Services | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4 Database Services | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Protect passwords with encryption | 1.1.0 |
| 4 Database Services | 4.3.2 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4 Database Services | 4.3.2 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.3.2 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Protect passwords with encryption | 1.1.0 |
| 4 Database Services | 4.3.3 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.3.3 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.3.3 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.3.3 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.3.4 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.3.4 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.3.4 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.3.4 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.3.5 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.3.5 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.3.5 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.3.5 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.3.6 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.3.6 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.3.6 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.3.6 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Adhere to retention periods defined | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Govern and monitor audit processing activities | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Retain security policies and procedures | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Retain terminated user data | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Control information flow | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Establish firewall and router configuration standards | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Establish network segmentation for card holder data environment | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Identify and manage downstream information exchanges | 1.1.0 |
| 4 Database Services | 4.4 | Ensure that Azure Active Directory Admin is configured | Automate account management | 1.1.0 |
| 4 Database Services | 4.4 | Ensure that Azure Active Directory Admin is configured | Manage system and admin accounts | 1.1.0 |
| 4 Database Services | 4.4 | Ensure that Azure Active Directory Admin is configured | Monitor access across the organization | 1.1.0 |
| 4 Database Services | 4.4 | Ensure that Azure Active Directory Admin is configured | Notify when account is not needed | 1.1.0 |
| 4 Database Services | 4.5 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | Establish a data leakage management procedure | 1.1.0 |
| 4 Database Services | 4.5 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | Implement controls to secure all media | 1.1.0 |
| 4 Database Services | 4.5 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.5 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | Protect special information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.1 | Ensure that a 'Diagnostics Setting' exists | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Audit privileged functions | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Audit user account status | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Configure Azure Audit capabilities | 1.1.1 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Review audit data | 1.1.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure the storage container storing the activity logs is not publicly accessible | Enable dual or joint authorization | 1.1.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure the storage container storing the activity logs is not publicly accessible | Protect audit information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Enable dual or joint authorization | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Maintain integrity of audit system | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Protect audit information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | Audit privileged functions | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | Audit user account status | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | Review audit data | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | An activity log alert should exist for specific Policy operations | 3.0.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | An activity log alert should exist for specific Policy operations | 3.0.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | An activity log alert should exist for specific Security operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | An activity log alert should exist for specific Security operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Adhere to retention periods defined | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Audit privileged functions | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Audit user account status | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Configure Azure Audit capabilities | 1.1.1 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Govern and monitor audit processing activities | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Retain security policies and procedures | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Retain terminated user data | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs are enabled for all services which support it. | Review audit data | 1.1.0 |
| 6 Networking | 6.3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Control information flow | 1.1.0 |
| 6 Networking | 6.3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Adhere to retention periods defined | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Retain security policies and procedures | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Retain terminated user data | 1.1.0 |
| 6 Networking | 6.5 | Ensure that Network Watcher is 'Enabled' | Verify security functions | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure Virtual Machines are utilizing Managed Disks | Control physical access | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure Virtual Machines are utilizing Managed Disks | Manage the input, output, processing, and storage of data | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure Virtual Machines are utilizing Managed Disks | Review label activity and analytics | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'OS and Data' disks are encrypted with CMK | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'OS and Data' disks are encrypted with CMK | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'OS and Data' disks are encrypted with CMK | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'OS and Data' disks are encrypted with CMK | Protect special information | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | Protect special information | 1.1.0 |
| 7 Virtual Machines | 7.5 | Ensure that the latest OS Patches for all Virtual Machines are applied | Remediate information system flaws | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Document security operations | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Manage gateways | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Perform a trend analysis on threats | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Perform vulnerability scans | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Review malware detections report weekly | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Review threat protection status weekly | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Turn on sensors for endpoint security solution | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Update antivirus definitions | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Verify software, firmware and information integrity | 1.1.0 |
| 7 Virtual Machines | 7.7 | Ensure that VHD's are encrypted | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.7 | Ensure that VHD's are encrypted | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.7 | Ensure that VHD's are encrypted | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.7 | Ensure that VHD's are encrypted | Protect special information | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Define a physical key management process | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Define cryptographic use | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Determine assertion requirements | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Issue public key certificates | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Manage symmetric cryptographic keys | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the expiration date is set on all keys | Restrict access to private keys | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Define a physical key management process | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Define cryptographic use | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Determine assertion requirements | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Issue public key certificates | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Manage symmetric cryptographic keys | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the expiration date is set on all Secrets | Restrict access to private keys | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that Resource Locks are set for mission critical Azure resources | Establish and document change control processes | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure the key vault is recoverable | Maintain availability of information | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Authorize access to security functions and information | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Authorize and manage access | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Enforce logical access | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Require approval for account creation | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Review user groups and applications with access to sensitive data | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | Authenticate to cryptographic module | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | Enforce user uniqueness | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set on Azure App Service | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are disabled | Configure workstations to check for digital certificates | 1.1.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are disabled | Protect data in transit using encryption | 1.1.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are disabled | Protect passwords with encryption | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Define a physical key management process | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Define cryptographic use | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Define organizational requirements for cryptographic key management | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Determine assertion requirements | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Ensure cryptographic mechanisms are under configuration management | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Issue public key certificates | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Maintain availability of information | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Manage symmetric cryptographic keys | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are used to store secrets | Restrict access to private keys | 1.1.0 |
| 9 AppService | 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Configure workstations to check for digital certificates | 1.1.0 |
| 9 AppService | 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Protect data in transit using encryption | 1.1.0 |
| 9 AppService | 9.2 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Protect passwords with encryption | 1.1.0 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | Configure workstations to check for digital certificates | 1.1.0 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | Protect data in transit using encryption | 1.1.0 |
| 9 AppService | 9.3 | Ensure web app is using the latest version of TLS encryption | Protect passwords with encryption | 1.1.0 |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | Authenticate to cryptographic module | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Automate account management | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Manage system and admin accounts | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Monitor access across the organization | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Notify when account is not needed | 1.1.0 |
| 9 AppService | 9.6 | Ensure that 'PHP version' is the latest, if used to run the web app | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.7 | Ensure that 'Python version' is the latest, if used to run the web app | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.8 | Ensure that 'Java version' is the latest, if used to run the web app | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.9 | Ensure that 'HTTP Version' is the latest, if used to run the web app | Remediate information system flaws | 1.1.0 |
CIS Microsoft Azure Foundations Benchmark 1.4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v1.4.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 1 Identity and Access Management | 1.1 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.1 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.1 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.10 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.11 | Ensure that 'Users can register applications' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.12 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.13 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" | Enforce logical access | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" | Require approval for account creation | 1.1.0 |
| 1 Identity and Access Management | 1.14 | Ensure That 'Restrict access to Azure AD administration portal' is Set to "Yes" | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.15 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.16 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.17 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.18 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Authorize remote access | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Document mobility training | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Document remote access guidelines | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Identify and authenticate network devices | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Implement controls to secure alternate work sites | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Provide privacy training | 1.1.0 |
| 1 Identity and Access Management | 1.19 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Satisfy token quality requirements | 1.1.0 |
| 1 Identity and Access Management | 1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1 Identity and Access Management | 1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure That No Custom Subscription Owner Roles Are Created | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure That No Custom Subscription Owner Roles Are Created | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure That No Custom Subscription Owner Roles Are Created | Design an access control model | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure That No Custom Subscription Owner Roles Are Created | Employ least privilege access | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure That No Custom Subscription Owner Roles Are Created | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.20 | Ensure That No Custom Subscription Owner Roles Are Created | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Authenticate to cryptographic module | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Authorize remote access | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Document mobility training | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Document remote access guidelines | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Identify and authenticate network devices | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Implement controls to secure alternate work sites | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Provide privacy training | 1.1.0 |
| 1 Identity and Access Management | 1.21 | Ensure Security Defaults is enabled on Azure Active Directory | Satisfy token quality requirements | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 Identity and Access Management | 1.22 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Establish and document change control processes | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Audit user account status | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Reassign or remove user privileges as needed | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Review account provisioning logs | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Review user accounts | 1.1.0 |
| 1 Identity and Access Management | 1.3 | Ensure guest users are reviewed on a monthly basis | Review user privileges | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled | Identify and authenticate network devices | 1.1.0 |
| 1 Identity and Access Management | 1.4 | Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled | Satisfy token quality requirements | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.6 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Implement training for protecting authenticators | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.7 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Audit privileged functions | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Automate account management | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Implement training for protecting authenticators | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Manage system and admin accounts | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Monitor access across the organization | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Monitor privileged role assignment | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Notify when account is not needed | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Restrict access to privileged accounts | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Revoke privileged roles as appropriate | 1.1.0 |
| 1 Identity and Access Management | 1.8 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Use privileged identity management | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 Identity and Access Management | 1.9 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Azure Defender for servers should be enabled | 1.0.3 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.1 | Ensure that Microsoft Defender for Servers is set to 'On' | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.10 | Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.11 | Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| 2 Microsoft Defender for Cloud | 2.11 | Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Document security operations | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.11 | Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Turn on sensors for endpoint security solution | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.12 | Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' | Configure actions for noncompliant devices | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.12 | Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' | Develop and maintain baseline configurations | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.12 | Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' | Enforce security configuration settings | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.12 | Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' | Establish a configuration control board | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.12 | Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' | Establish and document a configuration management plan | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.12 | Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' | Implement an automated configuration management tool | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.13 | Ensure 'Additional email addresses' is Configured with a Security Contact Email | Subscriptions should have a contact email address for security issues | 1.0.1 |
| 2 Microsoft Defender for Cloud | 2.14 | Ensure That 'Notify about alerts with the following severity' is Set to 'High' | Email notification for high severity alerts should be enabled | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Azure Defender for App Service should be enabled | 1.0.3 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.2 | Ensure that Microsoft Defender for App Service is set to 'On' | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.3 | Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.4 | Ensure that Microsoft Defender for SQL servers on machines is set to 'On' | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Microsoft Defender for Storage should be enabled | 1.0.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.5 | Ensure that Microsoft Defender for Storage is set to 'On' | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Microsoft Defender for Containers should be enabled | 1.0.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.6 | Ensure that Microsoft Defender for Kubernetes is set to 'On' | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Microsoft Defender for Containers should be enabled | 1.0.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.7 | Ensure that Microsoft Defender for Container Registries is set to 'On' | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Azure Defender for Key Vault should be enabled | 1.0.3 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.8 | Ensure that Microsoft Defender for Key Vault is set to 'On' | Update antivirus definitions | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Detect network services that have not been authorized or approved | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Manage gateways | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Perform a trend analysis on threats | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Perform vulnerability scans | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Review malware detections report weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Review threat protection status weekly | 1.1.0 |
| 2 Microsoft Defender for Cloud | 2.9 | Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected | Update antivirus definitions | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Configure workstations to check for digital certificates | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Protect data in transit using encryption | 1.1.0 |
| 3 Storage Accounts | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Protect passwords with encryption | 1.1.0 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Audit privileged functions | 1.1.0 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Audit user account status | 1.1.0 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Determine auditable events | 1.1.0 |
| 3 Storage Accounts | 3.10 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Review audit data | 1.1.0 |
| 3 Storage Accounts | 3.11 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Audit privileged functions | 1.1.0 |
| 3 Storage Accounts | 3.11 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Audit user account status | 1.1.0 |
| 3 Storage Accounts | 3.11 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 Storage Accounts | 3.11 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Determine auditable events | 1.1.0 |
| 3 Storage Accounts | 3.11 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Review audit data | 1.1.0 |
| 3 Storage Accounts | 3.12 | Ensure the "Minimum TLS version" is set to "Version 1.2" | Configure workstations to check for digital certificates | 1.1.0 |
| 3 Storage Accounts | 3.12 | Ensure the "Minimum TLS version" is set to "Version 1.2" | Protect data in transit using encryption | 1.1.0 |
| 3 Storage Accounts | 3.12 | Ensure the "Minimum TLS version" is set to "Version 1.2" | Protect passwords with encryption | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure That Storage Account Access Keys are Periodically Regenerated | Define a physical key management process | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure That Storage Account Access Keys are Periodically Regenerated | Define cryptographic use | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure That Storage Account Access Keys are Periodically Regenerated | Define organizational requirements for cryptographic key management | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure That Storage Account Access Keys are Periodically Regenerated | Determine assertion requirements | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure That Storage Account Access Keys are Periodically Regenerated | Issue public key certificates | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure That Storage Account Access Keys are Periodically Regenerated | Manage symmetric cryptographic keys | 1.1.0 |
| 3 Storage Accounts | 3.2 | Ensure That Storage Account Access Keys are Periodically Regenerated | Restrict access to private keys | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Audit privileged functions | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Audit user account status | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 Storage Accounts | 3.3 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Determine auditable events | 1.1.0 |
| 3 Storage Accounts | 3.3 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Review audit data | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that Shared Access Signature Tokens Expire Within an Hour | Disable authenticators upon termination | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that Shared Access Signature Tokens Expire Within an Hour | Revoke privileged roles as appropriate | 1.1.0 |
| 3 Storage Accounts | 3.4 | Ensure that Shared Access Signature Tokens Expire Within an Hour | Terminate user session automatically | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Authorize access to security functions and information | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Authorize and manage access | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Enforce logical access | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Require approval for account creation | 1.1.0 |
| 3 Storage Accounts | 3.5 | Ensure that 'Public access level' is set to Private for blob containers | Review user groups and applications with access to sensitive data | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access | Control information flow | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access | Establish firewall and router configuration standards | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access | Establish network segmentation for card holder data environment | 1.1.0 |
| 3 Storage Accounts | 3.7 | Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access | Identify and manage downstream information exchanges | 1.1.0 |
| 3 Storage Accounts | 3.9 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Establish a data leakage management procedure | 1.1.0 |
| 3 Storage Accounts | 3.9 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Implement controls to secure all media | 1.1.0 |
| 3 Storage Accounts | 3.9 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Protect data in transit using encryption | 1.1.0 |
| 3 Storage Accounts | 3.9 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Protect special information | 1.1.0 |
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Audit user account status | 1.1.0 |
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Review audit data | 1.1.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Establish a data leakage management procedure | 1.1.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Implement controls to secure all media | 1.1.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Protect special information | 1.1.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Adhere to retention periods defined | 1.1.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Govern and monitor audit processing activities | 1.1.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Retain security policies and procedures | 1.1.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Retain terminated user data | 1.1.0 |
| 4 Database Services | 4.2.1 | Ensure that Advanced Threat Protection (ATP) on a SQL Server is Set to 'Enabled' | Perform a trend analysis on threats | 1.1.0 |
| 4 Database Services | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Perform vulnerability scans | 1.1.0 |
| 4 Database Services | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Remediate information system flaws | 1.1.0 |
| 4 Database Services | 4.2.3 | Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server | Perform vulnerability scans | 1.1.0 |
| 4 Database Services | 4.2.3 | Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server | Remediate information system flaws | 1.1.0 |
| 4 Database Services | 4.2.4 | Ensure that VA setting 'Send scan reports to' is configured for a SQL server | Correlate Vulnerability scan information | 1.1.1 |
| 4 Database Services | 4.2.4 | Ensure that VA setting 'Send scan reports to' is configured for a SQL server | Perform vulnerability scans | 1.1.0 |
| 4 Database Services | 4.2.4 | Ensure that VA setting 'Send scan reports to' is configured for a SQL server | Remediate information system flaws | 1.1.0 |
| 4 Database Services | 4.2.5 | Ensure that Vulnerability Assessment Setting 'Also send email notifications to admins and subscription owners' is Set for Each SQL Server | Correlate Vulnerability scan information | 1.1.1 |
| 4 Database Services | 4.2.5 | Ensure that Vulnerability Assessment Setting 'Also send email notifications to admins and subscription owners' is Set for Each SQL Server | Perform vulnerability scans | 1.1.0 |
| 4 Database Services | 4.2.5 | Ensure that Vulnerability Assessment Setting 'Also send email notifications to admins and subscription owners' is Set for Each SQL Server | Remediate information system flaws | 1.1.0 |
| 4 Database Services | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4 Database Services | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Protect passwords with encryption | 1.1.0 |
| 4 Database Services | 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4 Database Services | 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4 Database Services | 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4 Database Services | 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4 Database Services | 4.3.6 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Adhere to retention periods defined | 1.1.0 |
| 4 Database Services | 4.3.6 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Govern and monitor audit processing activities | 1.1.0 |
| 4 Database Services | 4.3.6 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Retain security policies and procedures | 1.1.0 |
| 4 Database Services | 4.3.6 | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Retain terminated user data | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Control information flow | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Establish firewall and router configuration standards | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Establish network segmentation for card holder data environment | 1.1.0 |
| 4 Database Services | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Identify and manage downstream information exchanges | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Establish a data leakage management procedure | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Implement controls to secure all media | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Protect special information | 1.1.0 |
| 4 Database Services | 4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4 Database Services | 4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Protect passwords with encryption | 1.1.0 |
| 4 Database Services | 4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4 Database Services | 4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | Protect passwords with encryption | 1.1.0 |
| 4 Database Services | 4.5 | Ensure that Azure Active Directory Admin is configured | Automate account management | 1.1.0 |
| 4 Database Services | 4.5 | Ensure that Azure Active Directory Admin is configured | Manage system and admin accounts | 1.1.0 |
| 4 Database Services | 4.5 | Ensure that Azure Active Directory Admin is configured | Monitor access across the organization | 1.1.0 |
| 4 Database Services | 4.5 | Ensure that Azure Active Directory Admin is configured | Notify when account is not needed | 1.1.0 |
| 4 Database Services | 4.6 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | Establish a data leakage management procedure | 1.1.0 |
| 4 Database Services | 4.6 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | Implement controls to secure all media | 1.1.0 |
| 4 Database Services | 4.6 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | Protect data in transit using encryption | 1.1.0 |
| 4 Database Services | 4.6 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | Protect special information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.1 | Ensure that a 'Diagnostics Setting' exists | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Audit privileged functions | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Audit user account status | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Configure Azure Audit capabilities | 1.1.1 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Review audit data | 1.1.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure the storage container storing the activity logs is not publicly accessible | Enable dual or joint authorization | 1.1.0 |
| 5 Logging and Monitoring | 5.1.3 | Ensure the storage container storing the activity logs is not publicly accessible | Protect audit information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Enable dual or joint authorization | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Maintain integrity of audit system | 1.1.0 |
| 5 Logging and Monitoring | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) | Protect audit information | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | Audit privileged functions | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | Audit user account status | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.1.5 | Ensure that logging for Azure KeyVault is 'Enabled' | Review audit data | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | An activity log alert should exist for specific Policy operations | 3.0.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | An activity log alert should exist for specific Policy operations | 3.0.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.6 | Ensure that activity log alert exists for the Delete Network Security Group Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | An activity log alert should exist for specific Security operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | An activity log alert should exist for specific Security operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.8 | Ensure that Activity Log Alert exists for Delete Security Solution | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Alert personnel of information spillage | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Develop an incident response plan | 1.1.0 |
| 5 Logging and Monitoring | 5.2.9 | Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Adhere to retention periods defined | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Audit privileged functions | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Audit user account status | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Configure Azure Audit capabilities | 1.1.1 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Determine auditable events | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Govern and monitor audit processing activities | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Retain security policies and procedures | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Retain terminated user data | 1.1.0 |
| 5 Logging and Monitoring | 5.3 | Ensure that Diagnostic Logs Are Enabled for All Services that Support it. | Review audit data | 1.1.0 |
| 6 Networking | 6.3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Control information flow | 1.1.0 |
| 6 Networking | 6.3 | Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Adhere to retention periods defined | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Retain security policies and procedures | 1.1.0 |
| 6 Networking | 6.4 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Retain terminated user data | 1.1.0 |
| 6 Networking | 6.5 | Ensure that Network Watcher is 'Enabled' | Verify security functions | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure Virtual Machines are utilizing Managed Disks | Control physical access | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure Virtual Machines are utilizing Managed Disks | Manage the input, output, processing, and storage of data | 1.1.0 |
| 7 Virtual Machines | 7.1 | Ensure Virtual Machines are utilizing Managed Disks | Review label activity and analytics | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.2 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Protect special information | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.3 | Ensure that 'Unattached disks' are encrypted with CMK | Protect special information | 1.1.0 |
| 7 Virtual Machines | 7.5 | Ensure that the latest OS Patches for all Virtual Machines are applied | Remediate information system flaws | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Document security operations | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Manage gateways | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Perform a trend analysis on threats | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Perform vulnerability scans | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Review malware detections report weekly | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Review threat protection status weekly | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Turn on sensors for endpoint security solution | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Update antivirus definitions | 1.1.0 |
| 7 Virtual Machines | 7.6 | Ensure that the endpoint protection for all Virtual Machines is installed | Verify software, firmware and information integrity | 1.1.0 |
| 7 Virtual Machines | 7.7 | Ensure that VHD's are Encrypted | Establish a data leakage management procedure | 1.1.0 |
| 7 Virtual Machines | 7.7 | Ensure that VHD's are Encrypted | Implement controls to secure all media | 1.1.0 |
| 7 Virtual Machines | 7.7 | Ensure that VHD's are Encrypted | Protect data in transit using encryption | 1.1.0 |
| 7 Virtual Machines | 7.7 | Ensure that VHD's are Encrypted | Protect special information | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Define a physical key management process | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Define cryptographic use | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Determine assertion requirements | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Issue public key certificates | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Manage symmetric cryptographic keys | 1.1.0 |
| 8 Other Security Considerations | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Restrict access to private keys | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Define a physical key management process | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Define cryptographic use | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Determine assertion requirements | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Issue public key certificates | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Manage symmetric cryptographic keys | 1.1.0 |
| 8 Other Security Considerations | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Restrict access to private keys | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Define a physical key management process | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Define cryptographic use | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Determine assertion requirements | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Issue public key certificates | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Manage symmetric cryptographic keys | 1.1.0 |
| 8 Other Security Considerations | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Restrict access to private keys | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Define a physical key management process | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Define cryptographic use | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Determine assertion requirements | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Issue public key certificates | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Manage symmetric cryptographic keys | 1.1.0 |
| 8 Other Security Considerations | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Restrict access to private keys | 1.1.0 |
| 8 Other Security Considerations | 8.5 | Ensure that Resource Locks are set for Mission Critical Azure Resources | Establish and document change control processes | 1.1.0 |
| 8 Other Security Considerations | 8.6 | Ensure the key vault is recoverable | Maintain availability of information | 1.1.0 |
| 8 Other Security Considerations | 8.7 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Authorize access to security functions and information | 1.1.0 |
| 8 Other Security Considerations | 8.7 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Authorize and manage access | 1.1.0 |
| 8 Other Security Considerations | 8.7 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Enforce logical access | 1.1.0 |
| 8 Other Security Considerations | 8.7 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 8 Other Security Considerations | 8.7 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Require approval for account creation | 1.1.0 |
| 8 Other Security Considerations | 8.7 | Enable role-based access control (RBAC) within Azure Kubernetes Services | Review user groups and applications with access to sensitive data | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | Authenticate to cryptographic module | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | Enforce user uniqueness | 1.1.0 |
| 9 AppService | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are Disabled | Configure workstations to check for digital certificates | 1.1.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are Disabled | Protect data in transit using encryption | 1.1.0 |
| 9 AppService | 9.10 | Ensure FTP deployments are Disabled | Protect passwords with encryption | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Define a physical key management process | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Define cryptographic use | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Define organizational requirements for cryptographic key management | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Determine assertion requirements | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Ensure cryptographic mechanisms are under configuration management | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Issue public key certificates | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Maintain availability of information | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Manage symmetric cryptographic keys | 1.1.0 |
| 9 AppService | 9.11 | Ensure Azure Keyvaults are Used to Store Secrets | Restrict access to private keys | 1.1.0 |
| 9 AppService | 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | Configure workstations to check for digital certificates | 1.1.0 |
| 9 AppService | 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | Protect data in transit using encryption | 1.1.0 |
| 9 AppService | 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | Protect passwords with encryption | 1.1.0 |
| 9 AppService | 9.3 | Ensure Web App is using the latest version of TLS encryption | Configure workstations to check for digital certificates | 1.1.0 |
| 9 AppService | 9.3 | Ensure Web App is using the latest version of TLS encryption | Protect data in transit using encryption | 1.1.0 |
| 9 AppService | 9.3 | Ensure Web App is using the latest version of TLS encryption | Protect passwords with encryption | 1.1.0 |
| 9 AppService | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | Authenticate to cryptographic module | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Automate account management | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Manage system and admin accounts | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Monitor access across the organization | 1.1.0 |
| 9 AppService | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Notify when account is not needed | 1.1.0 |
| 9 AppService | 9.6 | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.7 | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.8 | Ensure that 'Java version' is the latest, if used to run the Web App | Remediate information system flaws | 1.1.0 |
| 9 AppService | 9.9 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | Remediate information system flaws | 1.1.0 |
CIS Microsoft Azure Foundations Benchmark 2.0.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Adopt biometric authentication mechanisms | 1.1.0 |
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Authenticate to cryptographic module | 1.1.0 |
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Authorize remote access | 1.1.0 |
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Document mobility training | 1.1.0 |
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Document remote access guidelines | 1.1.0 |
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Identify and authenticate network devices | 1.1.0 |
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Implement controls to secure alternate work sites | 1.1.0 |
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Provide privacy training | 1.1.0 |
| 1.1 | 1.1.1 | Ensure Security Defaults is enabled on Azure Active Directory | Satisfy token quality requirements | 1.1.0 |
| 1.1 | 1.1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1.1 | 1.1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1.1 | 1.1.2 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users | Adopt biometric authentication mechanisms | 1.1.0 |
| 1.1 | 1.1.3 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| 1.1 | 1.1.3 | Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | Adopt biometric authentication mechanisms | 1.1.0 |
| 1.1 | 1.1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | Adopt biometric authentication mechanisms | 1.1.0 |
| 1.1 | 1.1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | Identify and authenticate network devices | 1.1.0 |
| 1.1 | 1.1.4 | Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled | Satisfy token quality requirements | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Audit privileged functions | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Automate account management | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Implement training for protecting authenticators | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Manage system and admin accounts | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Monitor access across the organization | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Monitor privileged role assignment | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Notify when account is not needed | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Restrict access to privileged accounts | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Revoke privileged roles as appropriate | 1.1.0 |
| 1 | 1.10 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Use privileged identity management | 1.1.0 |
| 1 | 1.11 | Ensure User consent for applications is set to Do not allow user consent |
Authorize access to security functions and information | 1.1.0 |
| 1 | 1.11 | Ensure User consent for applications is set to Do not allow user consent |
Authorize and manage access | 1.1.0 |
| 1 | 1.11 | Ensure User consent for applications is set to Do not allow user consent |
Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.13 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.13 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 | 1.13 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.14 | Ensure That 'Users Can Register Applications' Is Set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.14 | Ensure That 'Users Can Register Applications' Is Set to 'No' | Authorize and manage access | 1.1.0 |
| 1 | 1.14 | Ensure That 'Users Can Register Applications' Is Set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Authorize and manage access | 1.1.0 |
| 1 | 1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Design an access control model | 1.1.0 |
| 1 | 1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Employ least privilege access | 1.1.0 |
| 1 | 1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Enforce logical access | 1.1.0 |
| 1 | 1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Require approval for account creation | 1.1.0 |
| 1 | 1.15 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 | 1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Authorize and manage access | 1.1.0 |
| 1 | 1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Design an access control model | 1.1.0 |
| 1 | 1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Employ least privilege access | 1.1.0 |
| 1 | 1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Enforce logical access | 1.1.0 |
| 1 | 1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Require approval for account creation | 1.1.0 |
| 1 | 1.16 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 | 1.17 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.17 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | Authorize and manage access | 1.1.0 |
| 1 | 1.17 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | Enforce logical access | 1.1.0 |
| 1 | 1.17 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.17 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | Require approval for account creation | 1.1.0 |
| 1 | 1.17 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | Review user groups and applications with access to sensitive data | 1.1.0 |
| 1 | 1.18 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.18 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Authorize and manage access | 1.1.0 |
| 1 | 1.18 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.18 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Establish and document change control processes | 1.1.0 |
| 1 | 1.19 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.19 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 | 1.19 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.19 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 | 1.20 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.20 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 | 1.20 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.20 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 | 1.21 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.21 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Authorize and manage access | 1.1.0 |
| 1 | 1.21 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.21 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Establish and document change control processes | 1.1.0 |
| 1 | 1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Adopt biometric authentication mechanisms | 1.1.0 |
| 1 | 1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Authorize remote access | 1.1.0 |
| 1 | 1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Document mobility training | 1.1.0 |
| 1 | 1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Document remote access guidelines | 1.1.0 |
| 1 | 1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Identify and authenticate network devices | 1.1.0 |
| 1 | 1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Implement controls to secure alternate work sites | 1.1.0 |
| 1 | 1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Provide privacy training | 1.1.0 |
| 1 | 1.22 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Satisfy token quality requirements | 1.1.0 |
| 1 | 1.23 | Ensure That No Custom Subscription Administrator Roles Exist | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.23 | Ensure That No Custom Subscription Administrator Roles Exist | Authorize and manage access | 1.1.0 |
| 1 | 1.23 | Ensure That No Custom Subscription Administrator Roles Exist | Design an access control model | 1.1.0 |
| 1 | 1.23 | Ensure That No Custom Subscription Administrator Roles Exist | Employ least privilege access | 1.1.0 |
| 1 | 1.23 | Ensure That No Custom Subscription Administrator Roles Exist | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.23 | Ensure That No Custom Subscription Administrator Roles Exist | Establish and document change control processes | 1.1.0 |
| 1 | 1.24 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Authorize access to security functions and information | 1.1.0 |
| 1 | 1.24 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Authorize and manage access | 1.1.0 |
| 1 | 1.24 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 1 | 1.24 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Establish and document change control processes | 1.1.0 |
| 1 | 1.5 | Ensure Guest Users Are Reviewed on a Regular Basis | Audit user account status | 1.1.0 |
| 1 | 1.5 | Ensure Guest Users Are Reviewed on a Regular Basis | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 1 | 1.5 | Ensure Guest Users Are Reviewed on a Regular Basis | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| 1 | 1.5 | Ensure Guest Users Are Reviewed on a Regular Basis | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| 1 | 1.5 | Ensure Guest Users Are Reviewed on a Regular Basis | Reassign or remove user privileges as needed | 1.1.0 |
| 1 | 1.5 | Ensure Guest Users Are Reviewed on a Regular Basis | Review account provisioning logs | 1.1.0 |
| 1 | 1.5 | Ensure Guest Users Are Reviewed on a Regular Basis | Review user accounts | 1.1.0 |
| 1 | 1.5 | Ensure Guest Users Are Reviewed on a Regular Basis | Review user privileges | 1.1.0 |
| 1 | 1.8 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Automate account management | 1.1.0 |
| 1 | 1.8 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Manage system and admin accounts | 1.1.0 |
| 1 | 1.8 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Monitor access across the organization | 1.1.0 |
| 1 | 1.8 | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' | Notify when account is not needed | 1.1.0 |
| 1 | 1.9 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Automate account management | 1.1.0 |
| 1 | 1.9 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Implement training for protecting authenticators | 1.1.0 |
| 1 | 1.9 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Manage system and admin accounts | 1.1.0 |
| 1 | 1.9 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Monitor access across the organization | 1.1.0 |
| 1 | 1.9 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Notify when account is not needed | 1.1.0 |
| 10 | 10.1 | Ensure that Resource Locks are set for Mission-Critical Azure Resources | Establish and document change control processes | 1.1.0 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Azure Defender for servers should be enabled | 1.0.3 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Manage gateways | 1.1.0 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.1 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Azure Defender for Key Vault should be enabled | 1.0.3 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Manage gateways | 1.1.0 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.10 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.11 | Ensure That Microsoft Defender for DNS Is Set To 'On' | [Deprecated]: Azure Defender for DNS should be enabled | 1.1.0-deprecated |
| 2.1 | 2.1.12 | Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| 2.1 | 2.1.14 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | Configure actions for noncompliant devices | 1.1.0 |
| 2.1 | 2.1.14 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | Develop and maintain baseline configurations | 1.1.0 |
| 2.1 | 2.1.14 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | Enforce security configuration settings | 1.1.0 |
| 2.1 | 2.1.14 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | Establish a configuration control board | 1.1.0 |
| 2.1 | 2.1.14 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | Establish and document a configuration management plan | 1.1.0 |
| 2.1 | 2.1.14 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | Implement an automated configuration management tool | 1.1.0 |
| 2.1 | 2.1.15 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| 2.1 | 2.1.15 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Document security operations | 1.1.0 |
| 2.1 | 2.1.15 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Turn on sensors for endpoint security solution | 1.1.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Manage gateways | 1.1.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Microsoft Defender for Containers should be enabled | 1.0.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.17 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.19 | Ensure 'Additional email addresses' is Configured with a Security Contact Email | Subscriptions should have a contact email address for security issues | 1.0.1 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Azure Defender for App Service should be enabled | 1.0.3 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Manage gateways | 1.1.0 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.2 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.20 | Ensure That 'Notify about alerts with the following severity' is Set to 'High' | Email notification for high severity alerts should be enabled | 1.1.0 |
| 2.1 | 2.1.21 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.21 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.21 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Manage gateways | 1.1.0 |
| 2.1 | 2.1.21 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.21 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.21 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.21 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.21 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.22 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.22 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.22 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Manage gateways | 1.1.0 |
| 2.1 | 2.1.22 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.22 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.22 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.22 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.22 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.3 | Ensure That Microsoft Defender for Databases Is Set To 'On' | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| 2.1 | 2.1.3 | Ensure That Microsoft Defender for Databases Is Set To 'On' | Azure Defender for open-source relational databases should be enabled | 1.0.0 |
| 2.1 | 2.1.3 | Ensure That Microsoft Defender for Databases Is Set To 'On' | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| 2.1 | 2.1.3 | Ensure That Microsoft Defender for Databases Is Set To 'On' | Microsoft Defender for Azure Cosmos DB should be enabled | 1.0.0 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Manage gateways | 1.1.0 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.4 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Manage gateways | 1.1.0 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.5 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.6 | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | Azure Defender for open-source relational databases should be enabled | 1.0.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Manage gateways | 1.1.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Microsoft Defender for Storage should be enabled | 1.0.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.7 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Detect network services that have not been authorized or approved | 1.1.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Manage gateways | 1.1.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Microsoft Defender for Containers should be enabled | 1.0.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Perform a trend analysis on threats | 1.1.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Perform vulnerability scans | 1.1.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Review malware detections report weekly | 1.1.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Review threat protection status weekly | 1.1.0 |
| 2.1 | 2.1.8 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Update antivirus definitions | 1.1.0 |
| 2.1 | 2.1.9 | Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | Microsoft Defender for Azure Cosmos DB should be enabled | 1.0.0 |
| 3 | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Configure workstations to check for digital certificates | 1.1.0 |
| 3 | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Protect data in transit using encryption | 1.1.0 |
| 3 | 3.1 | Ensure that 'Secure transfer required' is set to 'Enabled' | Protect passwords with encryption | 1.1.0 |
| 3 | 3.12 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Establish a data leakage management procedure | 1.1.0 |
| 3 | 3.12 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Implement controls to secure all media | 1.1.0 |
| 3 | 3.12 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Protect data in transit using encryption | 1.1.0 |
| 3 | 3.12 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Protect special information | 1.1.0 |
| 3 | 3.13 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Audit privileged functions | 1.1.0 |
| 3 | 3.13 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Audit user account status | 1.1.0 |
| 3 | 3.13 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 | 3.13 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Determine auditable events | 1.1.0 |
| 3 | 3.13 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Review audit data | 1.1.0 |
| 3 | 3.14 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Audit privileged functions | 1.1.0 |
| 3 | 3.14 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Audit user account status | 1.1.0 |
| 3 | 3.14 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 | 3.14 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Determine auditable events | 1.1.0 |
| 3 | 3.14 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Review audit data | 1.1.0 |
| 3 | 3.15 | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | Configure workstations to check for digital certificates | 1.1.0 |
| 3 | 3.15 | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | Protect data in transit using encryption | 1.1.0 |
| 3 | 3.15 | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | Protect passwords with encryption | 1.1.0 |
| 3 | 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | Define a physical key management process | 1.1.0 |
| 3 | 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | Define cryptographic use | 1.1.0 |
| 3 | 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | Define organizational requirements for cryptographic key management | 1.1.0 |
| 3 | 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | Determine assertion requirements | 1.1.0 |
| 3 | 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | Issue public key certificates | 1.1.0 |
| 3 | 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | Manage symmetric cryptographic keys | 1.1.0 |
| 3 | 3.4 | Ensure that Storage Account Access Keys are Periodically Regenerated | Restrict access to private keys | 1.1.0 |
| 3 | 3.5 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Audit privileged functions | 1.1.0 |
| 3 | 3.5 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Audit user account status | 1.1.0 |
| 3 | 3.5 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Configure Azure Audit capabilities | 1.1.1 |
| 3 | 3.5 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Determine auditable events | 1.1.0 |
| 3 | 3.5 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Review audit data | 1.1.0 |
| 3 | 3.6 | Ensure that Shared Access Signature Tokens Expire Within an Hour | Disable authenticators upon termination | 1.1.0 |
| 3 | 3.6 | Ensure that Shared Access Signature Tokens Expire Within an Hour | Revoke privileged roles as appropriate | 1.1.0 |
| 3 | 3.6 | Ensure that Shared Access Signature Tokens Expire Within an Hour | Terminate user session automatically | 1.1.0 |
| 3 | 3.7 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Authorize access to security functions and information | 1.1.0 |
| 3 | 3.7 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Authorize and manage access | 1.1.0 |
| 3 | 3.7 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Enforce logical access | 1.1.0 |
| 3 | 3.7 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 3 | 3.7 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Require approval for account creation | 1.1.0 |
| 3 | 3.7 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Review user groups and applications with access to sensitive data | 1.1.0 |
| 3 | 3.9 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Control information flow | 1.1.0 |
| 3 | 3.9 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 3 | 3.9 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Establish firewall and router configuration standards | 1.1.0 |
| 3 | 3.9 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Establish network segmentation for card holder data environment | 1.1.0 |
| 3 | 3.9 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Identify and manage downstream information exchanges | 1.1.0 |
| 4.1 | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Audit privileged functions | 1.1.0 |
| 4.1 | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Audit user account status | 1.1.0 |
| 4.1 | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Determine auditable events | 1.1.0 |
| 4.1 | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Review audit data | 1.1.0 |
| 4.1 | 4.1.2 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Control information flow | 1.1.0 |
| 4.1 | 4.1.2 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 4.1 | 4.1.3 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Establish a data leakage management procedure | 1.1.0 |
| 4.1 | 4.1.3 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Implement controls to secure all media | 1.1.0 |
| 4.1 | 4.1.3 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Protect data in transit using encryption | 1.1.0 |
| 4.1 | 4.1.3 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Protect special information | 1.1.0 |
| 4.1 | 4.1.4 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | Automate account management | 1.1.0 |
| 4.1 | 4.1.4 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | Manage system and admin accounts | 1.1.0 |
| 4.1 | 4.1.4 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | Monitor access across the organization | 1.1.0 |
| 4.1 | 4.1.4 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | Notify when account is not needed | 1.1.0 |
| 4.1 | 4.1.5 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Establish a data leakage management procedure | 1.1.0 |
| 4.1 | 4.1.5 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Implement controls to secure all media | 1.1.0 |
| 4.1 | 4.1.5 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Protect data in transit using encryption | 1.1.0 |
| 4.1 | 4.1.5 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Protect special information | 1.1.0 |
| 4.1 | 4.1.6 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Adhere to retention periods defined | 1.1.0 |
| 4.1 | 4.1.6 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Govern and monitor audit processing activities | 1.1.0 |
| 4.1 | 4.1.6 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Retain security policies and procedures | 1.1.0 |
| 4.1 | 4.1.6 | Ensure that 'Auditing' Retention is 'greater than 90 days' | Retain terminated user data | 1.1.0 |
| 4.2 | 4.2.1 | Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | Perform a trend analysis on threats | 1.1.0 |
| 4.2 | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Perform vulnerability scans | 1.1.0 |
| 4.2 | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Remediate information system flaws | 1.1.0 |
| 4.2 | 4.2.3 | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Perform vulnerability scans | 1.1.0 |
| 4.2 | 4.2.3 | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Remediate information system flaws | 1.1.0 |
| 4.2 | 4.2.4 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Correlate Vulnerability scan information | 1.1.1 |
| 4.2 | 4.2.4 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Perform vulnerability scans | 1.1.0 |
| 4.2 | 4.2.4 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Remediate information system flaws | 1.1.0 |
| 4.2 | 4.2.5 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Correlate Vulnerability scan information | 1.1.1 |
| 4.2 | 4.2.5 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Perform vulnerability scans | 1.1.0 |
| 4.2 | 4.2.5 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Remediate information system flaws | 1.1.0 |
| 4.3 | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4.3 | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Protect data in transit using encryption | 1.1.0 |
| 4.3 | 4.3.1 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Protect passwords with encryption | 1.1.0 |
| 4.3 | 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4.3 | 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4.3 | 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4.3 | 4.3.2 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4.3 | 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4.3 | 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4.3 | 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4.3 | 4.3.3 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4.3 | 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4.3 | 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4.3 | 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4.3 | 4.3.4 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4.3 | 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Audit privileged functions | 1.1.0 |
| 4.3 | 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Audit user account status | 1.1.0 |
| 4.3 | 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Determine auditable events | 1.1.0 |
| 4.3 | 4.3.5 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Review audit data | 1.1.0 |
| 4.3 | 4.3.6 | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Adhere to retention periods defined | 1.1.0 |
| 4.3 | 4.3.6 | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Govern and monitor audit processing activities | 1.1.0 |
| 4.3 | 4.3.6 | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Retain security policies and procedures | 1.1.0 |
| 4.3 | 4.3.6 | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Retain terminated user data | 1.1.0 |
| 4.3 | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Control information flow | 1.1.0 |
| 4.3 | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 4.3 | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Establish firewall and router configuration standards | 1.1.0 |
| 4.3 | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Establish network segmentation for card holder data environment | 1.1.0 |
| 4.3 | 4.3.7 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Identify and manage downstream information exchanges | 1.1.0 |
| 4.3 | 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Establish a data leakage management procedure | 1.1.0 |
| 4.3 | 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Implement controls to secure all media | 1.1.0 |
| 4.3 | 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Protect data in transit using encryption | 1.1.0 |
| 4.3 | 4.3.8 | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Protect special information | 1.1.0 |
| 4.4 | 4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4.4 | 4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Protect data in transit using encryption | 1.1.0 |
| 4.4 | 4.4.1 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Protect passwords with encryption | 1.1.0 |
| 4.4 | 4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | Configure workstations to check for digital certificates | 1.1.0 |
| 4.4 | 4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | Protect data in transit using encryption | 1.1.0 |
| 4.4 | 4.4.2 | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | Protect passwords with encryption | 1.1.0 |
| 5.1 | 5.1.1 | Ensure that a 'Diagnostic Setting' exists | Determine auditable events | 1.1.0 |
| 5.1 | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5.1 | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | An activity log alert should exist for specific Policy operations | 3.0.0 |
| 5.1 | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | An activity log alert should exist for specific Security operations | 1.0.0 |
| 5.1 | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Audit privileged functions | 1.1.0 |
| 5.1 | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Audit user account status | 1.1.0 |
| 5.1 | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Configure Azure Audit capabilities | 1.1.1 |
| 5.1 | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Determine auditable events | 1.1.0 |
| 5.1 | 5.1.2 | Ensure Diagnostic Setting captures appropriate categories | Review audit data | 1.1.0 |
| 5.1 | 5.1.3 | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | Enable dual or joint authorization | 1.1.0 |
| 5.1 | 5.1.3 | Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | Protect audit information | 1.1.0 |
| 5.1 | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Enable dual or joint authorization | 1.1.0 |
| 5.1 | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Maintain integrity of audit system | 1.1.0 |
| 5.1 | 5.1.4 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Protect audit information | 1.1.0 |
| 5.1 | 5.1.5 | Ensure that logging for Azure Key Vault is 'Enabled' | Audit privileged functions | 1.1.0 |
| 5.1 | 5.1.5 | Ensure that logging for Azure Key Vault is 'Enabled' | Audit user account status | 1.1.0 |
| 5.1 | 5.1.5 | Ensure that logging for Azure Key Vault is 'Enabled' | Determine auditable events | 1.1.0 |
| 5.1 | 5.1.5 | Ensure that logging for Azure Key Vault is 'Enabled' | Review audit data | 1.1.0 |
| 5.2 | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Alert personnel of information spillage | 1.1.0 |
| 5.2 | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | An activity log alert should exist for specific Policy operations | 3.0.0 |
| 5.2 | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Develop an incident response plan | 1.1.0 |
| 5.2 | 5.2.1 | Ensure that Activity Log Alert exists for Create Policy Assignment | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5.2 | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Alert personnel of information spillage | 1.1.0 |
| 5.2 | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | An activity log alert should exist for specific Policy operations | 3.0.0 |
| 5.2 | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Develop an incident response plan | 1.1.0 |
| 5.2 | 5.2.2 | Ensure that Activity Log Alert exists for Delete Policy Assignment | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5.2 | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5.2 | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5.2 | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Develop an incident response plan | 1.1.0 |
| 5.2 | 5.2.3 | Ensure that Activity Log Alert exists for Create or Update Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5.2 | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Alert personnel of information spillage | 1.1.0 |
| 5.2 | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5.2 | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Develop an incident response plan | 1.1.0 |
| 5.2 | 5.2.4 | Ensure that Activity Log Alert exists for Delete Network Security Group | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5.2 | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Alert personnel of information spillage | 1.1.0 |
| 5.2 | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Security Solution | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5.2 | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Develop an incident response plan | 1.1.0 |
| 5.2 | 5.2.5 | Ensure that Activity Log Alert exists for Create or Update Security Solution | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5.2 | 5.2.6 | Ensure that Activity Log Alert exists for Delete Security Solution | Alert personnel of information spillage | 1.1.0 |
| 5.2 | 5.2.6 | Ensure that Activity Log Alert exists for Delete Security Solution | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5.2 | 5.2.6 | Ensure that Activity Log Alert exists for Delete Security Solution | Develop an incident response plan | 1.1.0 |
| 5.2 | 5.2.6 | Ensure that Activity Log Alert exists for Delete Security Solution | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5.2 | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | Alert personnel of information spillage | 1.1.0 |
| 5.2 | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5.2 | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | Develop an incident response plan | 1.1.0 |
| 5.2 | 5.2.7 | Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5.2 | 5.2.8 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | Alert personnel of information spillage | 1.1.0 |
| 5.2 | 5.2.8 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 5.2 | 5.2.8 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | Develop an incident response plan | 1.1.0 |
| 5.2 | 5.2.8 | Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Adhere to retention periods defined | 1.1.0 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Audit privileged functions | 1.1.0 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Audit user account status | 1.1.0 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Configure Azure Audit capabilities | 1.1.1 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Determine auditable events | 1.1.0 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Govern and monitor audit processing activities | 1.1.0 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Retain security policies and procedures | 1.1.0 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Retain terminated user data | 1.1.0 |
| 5 | 5.4 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Review audit data | 1.1.0 |
| 6 | 6.5 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Adhere to retention periods defined | 1.1.0 |
| 6 | 6.5 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Retain security policies and procedures | 1.1.0 |
| 6 | 6.5 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Retain terminated user data | 1.1.0 |
| 6 | 6.6 | Ensure that Network Watcher is 'Enabled' | Verify security functions | 1.1.0 |
| 7 | 7.2 | Ensure Virtual Machines are utilizing Managed Disks | Control physical access | 1.1.0 |
| 7 | 7.2 | Ensure Virtual Machines are utilizing Managed Disks | Manage the input, output, processing, and storage of data | 1.1.0 |
| 7 | 7.2 | Ensure Virtual Machines are utilizing Managed Disks | Review label activity and analytics | 1.1.0 |
| 7 | 7.3 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Establish a data leakage management procedure | 1.1.0 |
| 7 | 7.3 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Implement controls to secure all media | 1.1.0 |
| 7 | 7.3 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Protect data in transit using encryption | 1.1.0 |
| 7 | 7.3 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Protect special information | 1.1.0 |
| 7 | 7.4 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Establish a data leakage management procedure | 1.1.0 |
| 7 | 7.4 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Implement controls to secure all media | 1.1.0 |
| 7 | 7.4 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Protect data in transit using encryption | 1.1.0 |
| 7 | 7.4 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Protect special information | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Document security operations | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Manage gateways | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Perform a trend analysis on threats | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Perform vulnerability scans | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Review malware detections report weekly | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Review threat protection status weekly | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Turn on sensors for endpoint security solution | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Update antivirus definitions | 1.1.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Verify software, firmware and information integrity | 1.1.0 |
| 7 | 7.7 | [Legacy] Ensure that VHDs are Encrypted | Establish a data leakage management procedure | 1.1.0 |
| 7 | 7.7 | [Legacy] Ensure that VHDs are Encrypted | Implement controls to secure all media | 1.1.0 |
| 7 | 7.7 | [Legacy] Ensure that VHDs are Encrypted | Protect data in transit using encryption | 1.1.0 |
| 7 | 7.7 | [Legacy] Ensure that VHDs are Encrypted | Protect special information | 1.1.0 |
| 8 | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Define a physical key management process | 1.1.0 |
| 8 | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Define cryptographic use | 1.1.0 |
| 8 | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Determine assertion requirements | 1.1.0 |
| 8 | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Issue public key certificates | 1.1.0 |
| 8 | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Manage symmetric cryptographic keys | 1.1.0 |
| 8 | 8.1 | Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Restrict access to private keys | 1.1.0 |
| 8 | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Define a physical key management process | 1.1.0 |
| 8 | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Define cryptographic use | 1.1.0 |
| 8 | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Determine assertion requirements | 1.1.0 |
| 8 | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Issue public key certificates | 1.1.0 |
| 8 | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Manage symmetric cryptographic keys | 1.1.0 |
| 8 | 8.2 | Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Restrict access to private keys | 1.1.0 |
| 8 | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Define a physical key management process | 1.1.0 |
| 8 | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Define cryptographic use | 1.1.0 |
| 8 | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Determine assertion requirements | 1.1.0 |
| 8 | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Issue public key certificates | 1.1.0 |
| 8 | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Manage symmetric cryptographic keys | 1.1.0 |
| 8 | 8.3 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Restrict access to private keys | 1.1.0 |
| 8 | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Define a physical key management process | 1.1.0 |
| 8 | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Define cryptographic use | 1.1.0 |
| 8 | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Define organizational requirements for cryptographic key management | 1.1.0 |
| 8 | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Determine assertion requirements | 1.1.0 |
| 8 | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Issue public key certificates | 1.1.0 |
| 8 | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Manage symmetric cryptographic keys | 1.1.0 |
| 8 | 8.4 | Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Restrict access to private keys | 1.1.0 |
| 9 | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | Authenticate to cryptographic module | 1.1.0 |
| 9 | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | Enforce user uniqueness | 1.1.0 |
| 9 | 9.1 | Ensure App Service Authentication is set up for apps in Azure App Service | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 9 | 9.10 | Ensure FTP deployments are Disabled | Configure workstations to check for digital certificates | 1.1.0 |
| 9 | 9.10 | Ensure FTP deployments are Disabled | Protect data in transit using encryption | 1.1.0 |
| 9 | 9.10 | Ensure FTP deployments are Disabled | Protect passwords with encryption | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Define a physical key management process | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Define cryptographic use | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Define organizational requirements for cryptographic key management | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Determine assertion requirements | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Ensure cryptographic mechanisms are under configuration management | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Issue public key certificates | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Maintain availability of information | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Manage symmetric cryptographic keys | 1.1.0 |
| 9 | 9.11 | Ensure Azure Key Vaults are Used to Store Secrets | Restrict access to private keys | 1.1.0 |
| 9 | 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | Configure workstations to check for digital certificates | 1.1.0 |
| 9 | 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | Protect data in transit using encryption | 1.1.0 |
| 9 | 9.2 | Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | Protect passwords with encryption | 1.1.0 |
| 9 | 9.3 | Ensure Web App is using the latest version of TLS encryption | Configure workstations to check for digital certificates | 1.1.0 |
| 9 | 9.3 | Ensure Web App is using the latest version of TLS encryption | Protect data in transit using encryption | 1.1.0 |
| 9 | 9.3 | Ensure Web App is using the latest version of TLS encryption | Protect passwords with encryption | 1.1.0 |
| 9 | 9.4 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | Authenticate to cryptographic module | 1.1.0 |
| 9 | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Automate account management | 1.1.0 |
| 9 | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Manage system and admin accounts | 1.1.0 |
| 9 | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Monitor access across the organization | 1.1.0 |
| 9 | 9.5 | Ensure that Register with Azure Active Directory is enabled on App Service | Notify when account is not needed | 1.1.0 |
| 9 | 9.6 | Ensure That 'PHP version' is the Latest, If Used to Run the Web App | Remediate information system flaws | 1.1.0 |
| 9 | 9.7 | Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | Remediate information system flaws | 1.1.0 |
| 9 | 9.8 | Ensure that 'Java version' is the latest, if used to run the Web App | Remediate information system flaws | 1.1.0 |
| 9 | 9.9 | Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | Remediate information system flaws | 1.1.0 |
CMMC Level 3
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC.2.007 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC.2.007 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | There should be more than one owner assigned to your subscription | 3.0.0 |
| Access Control | AC.3.018 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | An activity log alert should exist for specific Security operations | 1.0.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | An activity log alert should exist for specific Policy operations | 3.0.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | An activity log alert should exist for specific Security operations | 1.0.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | 1.0.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Azure subscriptions should have a log profile for Activity Log | 1.0.0 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Activity log should be retained for at least one year | 1.0.0 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | An activity log alert should exist for specific Policy operations | 3.0.0 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | An activity log alert should exist for specific Security operations | 1.0.0 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Azure subscriptions should have a log profile for Activity Log | 1.0.0 |
| Audit and Accountability | AU.3.049 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | An activity log alert should exist for specific Policy operations | 3.0.0 |
| Security Assessment | CA.2.158 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | An activity log alert should exist for specific Security operations | 1.0.0 |
| Security Assessment | CA.3.161 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | An activity log alert should exist for specific Security operations | 1.0.0 |
| Configuration Management | CM.2.061 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | An activity log alert should exist for specific Policy operations | 3.0.0 |
| Configuration Management | CM.2.065 | Track, review, approve or disapprove, and log changes to organizational systems. | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| Configuration Management | CM.2.065 | Track, review, approve or disapprove, and log changes to organizational systems. | An activity log alert should exist for specific Policy operations | 3.0.0 |
| Configuration Management | CM.2.065 | Track, review, approve or disapprove, and log changes to organizational systems. | An activity log alert should exist for specific Security operations | 1.0.0 |
| Configuration Management | CM.2.065 | Track, review, approve or disapprove, and log changes to organizational systems. | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| Configuration Management | CM.2.065 | Track, review, approve or disapprove, and log changes to organizational systems. | Azure subscriptions should have a log profile for Activity Log | 1.0.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA.3.083 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA.3.083 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA.3.083 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Incident Response | IR.2.092 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR.2.092 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR.2.092 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR.2.093 | Detect and report events. | An activity log alert should exist for specific Security operations | 1.0.0 |
| Incident Response | IR.2.093 | Detect and report events. | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR.2.093 | Detect and report events. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR.2.093 | Detect and report events. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR.2.093 | Detect and report events. | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR.2.093 | Detect and report events. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR.2.093 | Detect and report events. | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR.2.093 | Detect and report events. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR.2.093 | Detect and report events. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Recovery | RE.2.137 | Regularly perform and test data back-ups. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Recovery | RE.3.139 | Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Management | RM.3.144 | Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Management | RM.3.144 | Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Management | RM.3.144 | Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Management | RM.3.144 | Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Management | RM.3.144 | Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Management | RM.3.144 | Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Management | RM.3.144 | Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Communications Protection | SC.3.181 | Separate user functionality from system management functionality. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| System and Communications Protection | SC.3.181 | Separate user functionality from system management functionality. | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| System and Communications Protection | SC.3.181 | Separate user functionality from system management functionality. | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| System and Communications Protection | SC.3.181 | Separate user functionality from system management functionality. | There should be more than one owner assigned to your subscription | 3.0.0 |
| System and Communications Protection | SC.3.187 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | SI.1.213 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | An activity log alert should exist for specific Policy operations | 3.0.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | An activity log alert should exist for specific Security operations | 1.0.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure subscriptions should have a log profile for Activity Log | 1.0.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Subscriptions should have a contact email address for security issues | 1.0.1 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | Activity log should be retained for at least one year | 1.0.0 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | An activity log alert should exist for specific Policy operations | 3.0.0 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | An activity log alert should exist for specific Security operations | 1.0.0 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | 1.0.0 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | Azure subscriptions should have a log profile for Activity Log | 1.0.0 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
FedRAMP High
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-1 | Access Control Policy And Procedures | Develop access control policies and procedures | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Govern policies and procedures | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Review access control policies and procedures | 1.1.0 |
| Access Control | AC-2 | Account Management | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-2 | Account Management | Assign account managers | 1.1.0 |
| Access Control | AC-2 | Account Management | Audit user account status | 1.1.0 |
| Access Control | AC-2 | Account Management | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Define information system account types | 1.1.0 |
| Access Control | AC-2 | Account Management | Document access privileges | 1.1.0 |
| Access Control | AC-2 | Account Management | Establish conditions for role membership | 1.1.0 |
| Access Control | AC-2 | Account Management | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Monitor account activity | 1.1.0 |
| Access Control | AC-2 | Account Management | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Require approval for account creation | 1.1.0 |
| Access Control | AC-2 | Account Management | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Review account provisioning logs | 1.1.0 |
| Access Control | AC-2 | Account Management | Review user accounts | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Automate account management | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Manage system and admin accounts | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Monitor access across the organization | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Notify when account is not needed | 1.1.0 |
| Access Control | AC-2 (3) | Disable Inactive Accounts | Disable authenticators upon termination | 1.1.0 |
| Access Control | AC-2 (3) | Disable Inactive Accounts | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Audit user account status | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Automate account management | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Manage system and admin accounts | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Monitor access across the organization | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Notify when account is not needed | 1.1.0 |
| Access Control | AC-2 (5) | Inactivity Logout | Define and enforce inactivity log policy | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Audit privileged functions | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Monitor account activity | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Monitor privileged role assignment | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Use privileged identity management | 1.1.0 |
| Access Control | AC-2 (9) | Restrictions On Use Of Shared Groups / Accounts | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Access Control | AC-2 (10) | Shared / Group Account Credential Termination | Terminate customer controlled account credentials | 1.1.0 |
| Access Control | AC-2 (11) | Usage Conditions | Enforce appropriate usage of all accounts | 1.1.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for App Service should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for servers should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Monitor account activity | 1.1.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Report atypical behavior of user accounts | 1.1.0 |
| Access Control | AC-2 (13) | Disable Accounts For High-Risk Individuals | Disable user accounts posing a significant risk | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Authorize access to security functions and information | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Authorize and manage access | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Enforce logical access | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Require approval for account creation | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Review user groups and applications with access to sensitive data | 1.1.0 |
| Access Control | AC-4 | Information Flow Enforcement | Control information flow | 1.1.0 |
| Access Control | AC-4 | Information Flow Enforcement | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Access Control | AC-4 (8) | Security Policy Filters | Information flow control using security policy filters | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Control information flow | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Establish firewall and router configuration standards | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Establish network segmentation for card holder data environment | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Identify and manage downstream information exchanges | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Define access authorizations to support separation of duties | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Document separation of duties | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Separate duties of individuals | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | There should be more than one owner assigned to your subscription | 3.0.0 |
| Access Control | AC-6 | Least Privilege | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-6 | Least Privilege | Design an access control model | 1.1.0 |
| Access Control | AC-6 | Least Privilege | Employ least privilege access | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Authorize access to security functions and information | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Authorize and manage access | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-6 (5) | Privileged Accounts | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-6 (7) | Review Of User Privileges | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-6 (7) | Review Of User Privileges | Reassign or remove user privileges as needed | 1.1.0 |
| Access Control | AC-6 (7) | Review Of User Privileges | Review user privileges | 1.1.0 |
| Access Control | AC-6 (8) | Privilege Levels For Code Execution | Enforce software execution privileges | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Audit privileged functions | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Monitor privileged role assignment | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Use privileged identity management | 1.1.0 |
| Access Control | AC-7 | Unsuccessful Logon Attempts | Enforce a limit of consecutive failed login attempts | 1.1.0 |
| Access Control | AC-10 | Concurrent Session Control | Define and enforce the limit of concurrent sessions | 1.1.0 |
| Access Control | AC-12 | Session Termination | Terminate user session automatically | 1.1.0 |
| Access Control | AC-12 (1) | User-Initiated Logouts / Message Displays | Display an explicit logout message | 1.1.0 |
| Access Control | AC-12 (1) | User-Initiated Logouts / Message Displays | Provide the logout capability | 1.1.0 |
| Access Control | AC-14 | Permitted Actions Without Identification Or Authentication | Identify actions allowed without authentication | 1.1.0 |
| Access Control | AC-17 | Remote Access | Authorize remote access | 1.1.0 |
| Access Control | AC-17 | Remote Access | Document mobility training | 1.1.0 |
| Access Control | AC-17 | Remote Access | Document remote access guidelines | 1.1.0 |
| Access Control | AC-17 | Remote Access | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | AC-17 | Remote Access | Provide privacy training | 1.1.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | Monitor access across the organization | 1.1.0 |
| Access Control | AC-17 (2) | Protection Of Confidentiality / Integrity Using Encryption | Notify users of system logon or access | 1.1.0 |
| Access Control | AC-17 (2) | Protection Of Confidentiality / Integrity Using Encryption | Protect data in transit using encryption | 1.1.0 |
| Access Control | AC-17 (3) | Managed Access Control Points | Route traffic through managed network access points | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Authorize remote access | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Authorize remote access to privileged commands | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Document remote access guidelines | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Provide privacy training | 1.1.0 |
| Access Control | AC-17 (9) | Disconnect / Disable Access | Provide capability to disconnect or disable remote access | 1.1.0 |
| Access Control | AC-18 | Wireless Access | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | AC-18 | Wireless Access | Protect wireless access | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Identify and authenticate network devices | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Protect wireless access | 1.1.0 |
| Access Control | AC-19 | Access Control For Mobile Devices | Define mobile device requirements | 1.1.0 |
| Access Control | AC-19 (5) | Full Device / Container-Based Encryption | Define mobile device requirements | 1.1.0 |
| Access Control | AC-19 (5) | Full Device / Container-Based Encryption | Protect data in transit using encryption | 1.1.0 |
| Access Control | AC-20 | Use Of External Information Systems | Establish terms and conditions for accessing resources | 1.1.0 |
| Access Control | AC-20 | Use Of External Information Systems | Establish terms and conditions for processing resources | 1.1.0 |
| Access Control | AC-20 (1) | Limits On Authorized Use | Verify security controls for external information systems | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Control use of portable storage devices | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Implement controls to secure all media | 1.1.0 |
| Access Control | AC-21 | Information Sharing | Automate information sharing decisions | 1.1.0 |
| Access Control | AC-21 | Information Sharing | Facilitate information sharing | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Review content prior to posting publicly accessible information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Review publicly accessible content for nonpublic information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Train personnel on disclosure of nonpublic information | 1.1.0 |
| Awareness And Training | AT-1 | Security Awareness And Training Policy Andprocedures | Document security and privacy training activities | 1.1.0 |
| Awareness And Training | AT-1 | Security Awareness And Training Policy Andprocedures | Update information security policies | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide periodic security awareness training | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide security training for new users | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide updated security awareness training | 1.1.0 |
| Awareness And Training | AT-2 (2) | Insider Threat | Provide security awareness training for insider threats | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide periodic role-based security training | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide role-based security training | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide security training before providing access | 1.1.0 |
| Awareness And Training | AT-3 (3) | Practical Exercises | Provide role-based practical exercises | 1.1.0 |
| Awareness And Training | AT-3 (4) | Suspicious Communications And Anomalous System Behavior | Provide role-based training on suspicious activities | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Document security and privacy training activities | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Monitor security and privacy training completion | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Retain training records | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Develop audit and accountability policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Develop information security policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Govern policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Update information security policies | 1.1.0 |
| Audit And Accountability | AU-2 | Audit Events | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-2 (3) | Reviews And Updates | Review and update the events defined in AU-02 | 1.1.0 |
| Audit And Accountability | AU-3 | Content Of Audit Records | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-3 (1) | Additional Audit Information | Configure Azure Audit capabilities | 1.1.1 |
| Audit And Accountability | AU-4 | Audit Storage Capacity | Govern and monitor audit processing activities | 1.1.0 |
| Audit And Accountability | AU-5 | Response To Audit Processing Failures | Govern and monitor audit processing activities | 1.1.0 |
| Audit And Accountability | AU-5 (2) | Real-Time Alerts | Provide real-time alerts for audit event failures | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Establish requirements for audit review and reporting | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review account provisioning logs | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review administrator assignments weekly | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review audit data | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review cloud identity report overview | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review controlled folder access events | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review file and folder activity | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review role group changes weekly | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Establish requirements for audit review and reporting | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review account provisioning logs | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review administrator assignments weekly | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review audit data | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review cloud identity report overview | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review controlled folder access events | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review file and folder activity | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review role group changes weekly | 1.1.0 |
| Audit And Accountability | AU-6 (3) | Correlate Audit Repositories | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 (3) | Correlate Audit Repositories | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Integrate Audit record analysis | 1.1.0 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (7) | Permitted Actions | Specify permitted actions associated with customer audit information | 1.1.0 |
| Audit And Accountability | AU-6 (10) | Audit Level Adjustment | Adjust level of audit review, analysis, and reporting | 1.1.0 |
| Audit And Accountability | AU-7 | Audit Reduction And Report Generation | Ensure audit records are not altered | 1.1.0 |
| Audit And Accountability | AU-7 | Audit Reduction And Report Generation | Provide audit review, analysis, and reporting capability | 1.1.0 |
| Audit And Accountability | AU-7 (1) | Automatic Processing | Provide capability to process customer-controlled audit records | 1.1.0 |
| Audit And Accountability | AU-8 | Time Stamps | Use system clocks for audit records | 1.1.0 |
| Audit And Accountability | AU-8 (1) | Synchronization With Authoritative Time Source | Use system clocks for audit records | 1.1.0 |
| Audit And Accountability | AU-9 | Protection Of Audit Information | Enable dual or joint authorization | 1.1.0 |
| Audit And Accountability | AU-9 | Protection Of Audit Information | Protect audit information | 1.1.0 |
| Audit And Accountability | AU-9 (2) | Audit Backup On Separate Physical Systems / Components | Establish backup policies and procedures | 1.1.0 |
| Audit And Accountability | AU-9 (3) | Cryptographic Protection | Maintain integrity of audit system | 1.1.0 |
| Audit And Accountability | AU-9 (4) | Access By Subset Of Privileged Users | Protect audit information | 1.1.0 |
| Audit And Accountability | AU-10 | Non-Repudiation | Establish electronic signature and certificate requirements | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Adhere to retention periods defined | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Retain security policies and procedures | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Retain terminated user data | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Audit privileged functions | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Audit user account status | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 | Audit Generation | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Review audit data | 1.1.0 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Compile Audit records into system wide audit | 1.1.0 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 (3) | Changes By Authorized Individuals | Provide the capability to extend or limit auditing on customer-deployed resources | 1.1.0 |
| Security Assessment And Authorization | CA-1 | Security Assessment And Authorization Policy And Procedures | Review security assessment and authorization policies and procedures | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Assess Security Controls | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Deliver security assessment results | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Develop security assessment plan | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Produce Security Assessment report | 1.1.0 |
| Security Assessment And Authorization | CA-2 (1) | Independent Assessors | Employ independent assessors to conduct security control assessments | 1.1.0 |
| Security Assessment And Authorization | CA-2 (2) | Specialized Assessments | Select additional testing for security control assessments | 1.1.0 |
| Security Assessment And Authorization | CA-2 (3) | External Organizations | Accept assessment results | 1.1.0 |
| Security Assessment And Authorization | CA-3 | System Interconnections | Require interconnection security agreements | 1.1.0 |
| Security Assessment And Authorization | CA-3 | System Interconnections | Update interconnection security agreements | 1.1.0 |
| Security Assessment And Authorization | CA-3 (3) | Unclassified Non-National Security System Connections | Implement system boundary protection | 1.1.0 |
| Security Assessment And Authorization | CA-3 (5) | Restrictions On External System Connections | Employ restrictions on external system interconnections | 1.1.0 |
| Security Assessment And Authorization | CA-5 | Plan Of Action And Milestones | Develop POA&M | 1.1.0 |
| Security Assessment And Authorization | CA-5 | Plan Of Action And Milestones | Update POA&M items | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Assign an authorizing official (AO) | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Ensure resources are authorized | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Update the security authorization | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Configure detection whitelist | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Turn on sensors for endpoint security solution | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Undergo independent security review | 1.1.0 |
| Security Assessment And Authorization | CA-7 (1) | Independent Assessment | Employ independent assessors for continuous monitoring | 1.1.0 |
| Security Assessment And Authorization | CA-7 (3) | Trend Analyses | Analyse data obtained from continuous monitoring | 1.1.0 |
| Security Assessment And Authorization | CA-8 (1) | Independent Penetration Agent Or Team | Employ independent team for penetration testing | 1.1.0 |
| Security Assessment And Authorization | CA-9 | Internal System Connections | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Configuration Management | CM-1 | Configuration Management Policy And Procedures | Review and update configuration management policies and procedures | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Establish a configuration control board | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Establish a configuration control board | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-2 (3) | Retention Of Previous Configurations | Retain previous versions of baseline configs | 1.1.0 |
| Configuration Management | CM-2 (7) | Configure Systems, Components, Or Devices For High-Risk Areas | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| Configuration Management | CM-2 (7) | Configure Systems, Components, Or Devices For High-Risk Areas | Not allow for information systems to accompany with individuals | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish a risk management strategy | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform a risk assessment | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate approval request for proposed changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate implementation of approved change notifications | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate process to document implemented changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate process to highlight unreviewed change proposals | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate proposed documented changes | 1.1.0 |
| Configuration Management | CM-3 (2) | Test / Validate / Document Changes | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-3 (2) | Test / Validate / Document Changes | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-3 (2) | Test / Validate / Document Changes | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-3 (4) | Security Representative | Assign information security representative to change control | 1.1.0 |
| Configuration Management | CM-3 (6) | Cryptography Management | Ensure cryptographic mechanisms are under configuration management | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish a risk management strategy | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform a risk assessment | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-5 | Access Restrictions For Change | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-5 (1) | Automated Access Enforcement / Auditing | Enforce and audit access restrictions | 1.1.0 |
| Configuration Management | CM-5 (2) | Review System Changes | Review changes for any unauthorized changes | 1.1.0 |
| Configuration Management | CM-5 (3) | Signed Components | Restrict unauthorized software and firmware installation | 1.1.0 |
| Configuration Management | CM-5 (5) | Limit Production / Operational Privileges | Limit privileges to make changes in production environment | 1.1.0 |
| Configuration Management | CM-5 (5) | Limit Production / Operational Privileges | Review and reevaluate privileges | 1.1.0 |
| Configuration Management | CM-6 | Configuration Settings | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-6 | Configuration Settings | Remediate information system flaws | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | Govern compliance of cloud service providers | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | View and configure system diagnostic data | 1.1.0 |
| Configuration Management | CM-7 | Least Functionality | Azure Defender for servers should be enabled | 1.0.3 |
| Configuration Management | CM-8 | Information System Component Inventory | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 | Information System Component Inventory | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | CM-8 (1) | Updates During Installations / Removals | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 (1) | Updates During Installations / Removals | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | CM-8 (3) | Automated Unauthorized Component Detection | Enable detection of network devices | 1.1.0 |
| Configuration Management | CM-8 (3) | Automated Unauthorized Component Detection | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Configuration Management | CM-8 (4) | Accountability Information | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 (4) | Accountability Information | Establish and maintain an asset inventory | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Create configuration plan protection | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop configuration item identification plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop configuration management plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-10 | Software Usage Restrictions | Require compliance with intellectual property rights | 1.1.0 |
| Configuration Management | CM-10 | Software Usage Restrictions | Track software license usage | 1.1.0 |
| Configuration Management | CM-10 (1) | Open Source Software | Restrict use of open source software | 1.1.0 |
| Contingency Planning | CP-1 | Contingency Planning Policy And Procedures | Review and update contingency planning policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Communicate contingency plan changes | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop contingency plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop contingency planning policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Distribute policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Review contingency plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Update contingency plan | 1.1.0 |
| Contingency Planning | CP-2 (1) | Coordinate With Related Plans | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-2 (2) | Capacity Planning | Conduct capacity planning | 1.1.0 |
| Contingency Planning | CP-2 (3) | Resume Essential Missions / Business Functions | Plan for resumption of essential business functions | 1.1.0 |
| Contingency Planning | CP-2 (4) | Resume All Missions / Business Functions | Resume all mission and business functions | 1.1.0 |
| Contingency Planning | CP-2 (5) | Continue Essential Missions / Business Functions | Plan for continuance of essential business functions | 1.1.0 |
| Contingency Planning | CP-2 (8) | Identify Critical Assets | Perform a business impact assessment and application criticality assessment | 1.1.0 |
| Contingency Planning | CP-3 | Contingency Training | Provide contingency training | 1.1.0 |
| Contingency Planning | CP-3 (1) | Simulated Events | Incorporate simulated contingency training | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Initiate contingency plan testing corrective actions | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Review the results of contingency plan testing | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Test the business continuity and disaster recovery plan | 1.1.0 |
| Contingency Planning | CP-4 (1) | Coordinate With Related Plans | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-4 (2) | Alternate Processing Site | Evaluate alternate processing site capabilities | 1.1.0 |
| Contingency Planning | CP-4 (2) | Alternate Processing Site | Test contingency plan at an alternate processing location | 1.1.0 |
| Contingency Planning | CP-6 | Alternate Storage Site | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| Contingency Planning | CP-6 | Alternate Storage Site | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| Contingency Planning | CP-6 (1) | Separation From Primary Site | Create separate alternate and primary storage sites | 1.1.0 |
| Contingency Planning | CP-6 (2) | Recovery Time / Point Objectives | Establish alternate storage site that facilitates recovery operations | 1.1.0 |
| Contingency Planning | CP-6 (3) | Accessibility | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| Contingency Planning | CP-7 | Alternate Processing Site | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Contingency Planning | CP-7 | Alternate Processing Site | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (1) | Separation From Primary Site | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (2) | Accessibility | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (3) | Priority Of Service | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (3) | Priority Of Service | Establish requirements for internet service providers | 1.1.0 |
| Contingency Planning | CP-7 (4) | Preparation For Use | Prepare alternate processing site for use as operational site | 1.1.0 |
| Contingency Planning | CP-8 (1) | Priority Of Service Provisions | Establish requirements for internet service providers | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Conduct backup of information system documentation | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Establish backup policies and procedures | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Implement controls to secure all media | 1.1.0 |
| Contingency Planning | CP-9 (3) | Separate Storage For Critical Information | Separately store backup information | 1.1.0 |
| Contingency Planning | CP-9 (5) | Transfer To Alternate Storage Site | Transfer backup information to an alternate storage site | 1.1.0 |
| Contingency Planning | CP-10 | Information System Recovery And Reconstitution | Recover and reconstitute resources after any disruption | 1.1.1 |
| Contingency Planning | CP-10 (2) | Transaction Recovery | Implement transaction based recovery | 1.1.0 |
| Contingency Planning | CP-10 (4) | Restore Within Time Period | Restore resources to operational state | 1.1.1 |
| Identification And Authentication | IA-1 | Identification And Authentication Policy And Procedures | Review and update identification and authentication policies and procedures | 1.1.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Enforce user uniqueness | 1.1.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (2) | Network Access To Non-Privileged Accounts | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (2) | Network Access To Non-Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (3) | Local Access To Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (5) | Group Authentication | Require use of individual authenticators | 1.1.0 |
| Identification And Authentication | IA-2 (11) | Remote Access - Separate Device | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (11) | Remote Access - Separate Device | Identify and authenticate network devices | 1.1.0 |
| Identification And Authentication | IA-2 (12) | Acceptance Of Piv Credentials | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification And Authentication | IA-4 | Identifier Management | Assign system identifiers | 1.1.0 |
| Identification And Authentication | IA-4 | Identifier Management | Prevent identifier reuse for the defined time period | 1.1.0 |
| Identification And Authentication | IA-4 (4) | Identify User Status | Identify status of individual users | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Establish authenticator types and processes | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Implement training for protecting authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Manage authenticator lifetime and reuse | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Manage Authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Refresh authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Verify identity before distributing authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Document security strength requirements in acquisition contracts | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Establish a password policy | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Implement parameters for memorized secret verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Protect passwords with encryption | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Bind authenticators and identities dynamically | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish authenticator types and processes | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish parameters for searching secret authenticators and verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Map authenticated identities to individuals | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Restrict access to private keys | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Verify identity before distributing authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (3) | In-Person Or Trusted Third-Party Registration | Distribute authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Document security strength requirements in acquisition contracts | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Establish a password policy | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Implement parameters for memorized secret verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (6) | Protection Of Authenticators | Ensure authorized users protect provided authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (7) | No Embedded Unencrypted Static Authenticators | Ensure there are no unencrypted static authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (11) | Hardware Token-Based Authentication | Satisfy token quality requirements | 1.1.0 |
| Identification And Authentication | IA-5 (13) | Expiration Of Cached Authenticators | Enforce expiration of cached authenticators | 1.1.0 |
| Identification And Authentication | IA-6 | Authenticator Feedback | Obscure feedback information during authentication process | 1.1.0 |
| Identification And Authentication | IA-7 | Cryptographic Module Authentication | Authenticate to cryptographic module | 1.1.0 |
| Identification And Authentication | IA-8 | Identification And Authentication (Non- Organizational Users) | Identify and authenticate non-organizational users | 1.1.0 |
| Identification And Authentication | IA-8 (1) | Acceptance Of Piv Credentials From Other Agencies | Accept PIV credentials | 1.1.0 |
| Identification And Authentication | IA-8 (2) | Acceptance Of Third-Party Credentials | Accept only FICAM-approved third-party credentials | 1.1.0 |
| Identification And Authentication | IA-8 (3) | Use Of Ficam-Approved Products | Employ FICAM-approved resources to accept third-party credentials | 1.1.0 |
| Identification And Authentication | IA-8 (4) | Use Of Ficam-Issued Profiles | Conform to FICAM-issued profiles | 1.1.0 |
| Incident Response | IR-1 | Incident Response Policy And Procedures | Review and update incident response policies and procedures | 1.1.0 |
| Incident Response | IR-2 | Incident Response Training | Provide information spillage training | 1.1.0 |
| Incident Response | IR-2 (1) | Simulated Events | Incorporate simulated events into incident response training | 1.1.0 |
| Incident Response | IR-2 (2) | Automated Training Environments | Employ automated training environment | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Conduct incident response testing | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Establish an information security program | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Run simulation attacks | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Conduct incident response testing | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Establish an information security program | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Run simulation attacks | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Assess information security events | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-4 | Incident Handling | Coordinate contingency plans with related plans | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Develop security safeguards | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-4 | Incident Handling | Enable network protection | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Maintain incident response plan | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Perform a trend analysis on threats | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-4 | Incident Handling | View and investigate restricted users | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Enable network protection | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 (2) | Dynamic Reconfiguration | Include dynamic reconfig of customer deployed resources | 1.1.0 |
| Incident Response | IR-4 (3) | Continuity Of Operations | Identify classes of Incidents and Actions taken | 1.1.0 |
| Incident Response | IR-4 (4) | Information Correlation | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 (6) | Insider Threats - Specific Capabilities | Implement Incident handling capability | 1.1.0 |
| Incident Response | IR-4 (8) | Correlation With External Organizations | Coordinate with external organizations to achieve cross org perspective | 1.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-5 | Incident Monitoring | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-6 (1) | Automated Reporting | Document security operations | 1.1.0 |
| Incident Response | IR-7 | Incident Response Assistance | Document security operations | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Enable network protection | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Implement incident handling | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Perform a trend analysis on threats | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | View and investigate restricted users | 1.1.0 |
| Incident Response | IR-7 (2) | Coordination With External Providers | Establish relationship between incident response capability and external providers | 1.1.0 |
| Incident Response | IR-7 (2) | Coordination With External Providers | Identify incident response personnel | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Assess information security events | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Implement incident handling | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Maintain data breach records | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Maintain incident response plan | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Protect incident response plan | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Alert personnel of information spillage | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Identify contaminated systems and components | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Identify spilled information | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Isolate information spills | 1.1.0 |
| Incident Response | IR-9 (1) | Responsible Personnel | Identify incident response personnel | 1.1.0 |
| Incident Response | IR-9 (2) | Training | Provide information spillage training | 1.1.0 |
| Incident Response | IR-9 (3) | Post-Spill Operations | Develop spillage response procedures | 1.1.0 |
| Incident Response | IR-9 (4) | Exposure To Unauthorized Personnel | Develop security safeguards | 1.1.0 |
| Maintenance | MA-1 | System Maintenance Policy And Procedures | Review and update system maintenance policies and procedures | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-2 (2) | Automated Maintenance Activities | Automate remote maintenance activities | 1.1.0 |
| Maintenance | MA-2 (2) | Automated Maintenance Activities | Produce complete records of remote maintenance activities | 1.1.0 |
| Maintenance | MA-3 | Maintenance Tools | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 | Maintenance Tools | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (1) | Inspect Tools | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (1) | Inspect Tools | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (2) | Inspect Media | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (2) | Inspect Media | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 | Nonlocal Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 (2) | Document Nonlocal Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 (3) | Comparable Security / Sanitization | Perform all non-local maintenance | 1.1.0 |
| Maintenance | MA-4 (6) | Cryptographic Protection | Implement cryptographic mechanisms | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Designate personnel to supervise unauthorized maintenance activities | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Maintain list of authorized remote maintenance personnel | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Manage maintenance personnel | 1.1.0 |
| Maintenance | MA-5 (1) | Individuals Without Appropriate Access | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-5 (1) | Individuals Without Appropriate Access | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-6 | Timely Maintenance | Provide timely maintenance support | 1.1.0 |
| Media Protection | MP-1 | Media Protection Policy And Procedures | Review and update media protection policies and procedures | 1.1.0 |
| Media Protection | MP-2 | Media Access | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-3 | Media Marking | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-4 | Media Storage | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-4 | Media Storage | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 | Media Transport | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 | Media Transport | Manage the transportation of assets | 1.1.0 |
| Media Protection | MP-5 (4) | Cryptographic Protection | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 (4) | Cryptographic Protection | Manage the transportation of assets | 1.1.0 |
| Media Protection | MP-6 | Media Sanitization | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 | Media Sanitization | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-6 (1) | Review / Approve / Track / Document / Verify | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 (1) | Review / Approve / Track / Document / Verify | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-6 (2) | Equipment Testing | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 (2) | Equipment Testing | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 | Media Use | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | MP-7 | Media Use | Control use of portable storage devices | 1.1.0 |
| Media Protection | MP-7 | Media Use | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 | Media Use | Restrict media use | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Control use of portable storage devices | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Restrict media use | 1.1.0 |
| Physical And Environmental Protection | PE-1 | Physical And Environmental Protection Policy And Procedures | Review and update physical and environmental policies and procedures | 1.1.0 |
| Physical And Environmental Protection | PE-2 | Physical Access Authorizations | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Define a physical key management process | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Establish and maintain an asset inventory | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-4 | Access Control For Transmission Medium | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-4 | Access Control For Transmission Medium | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Manage the input, output, processing, and storage of data | 1.1.0 |
| Physical And Environmental Protection | PE-6 (1) | Intrusion Alarms / Surveillance Equipment | Install an alarm system | 1.1.0 |
| Physical And Environmental Protection | PE-6 (1) | Intrusion Alarms / Surveillance Equipment | Manage a secure surveillance camera system | 1.1.0 |
| Physical And Environmental Protection | PE-8 | Visitor Access Records | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-8 | Visitor Access Records | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-12 | Emergency Lighting | Employ automatic emergency lighting | 1.1.0 |
| Physical And Environmental Protection | PE-13 | Fire Protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-13 (1) | Detection Devices / Systems | Implement a penetration testing methodology | 1.1.0 |
| Physical And Environmental Protection | PE-13 (1) | Detection Devices / Systems | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-13 (1) | Detection Devices / Systems | Run simulation attacks | 1.1.0 |
| Physical And Environmental Protection | PE-13 (2) | Suppression Devices / Systems | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-13 (3) | Automatic Fire Suppression | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 | Temperature And Humidity Controls | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 (2) | Monitoring With Alarms / Notifications | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 (2) | Monitoring With Alarms / Notifications | Install an alarm system | 1.1.0 |
| Physical And Environmental Protection | PE-15 | Water Damage Protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-16 | Delivery And Removal | Define requirements for managing assets | 1.1.0 |
| Physical And Environmental Protection | PE-16 | Delivery And Removal | Manage the transportation of assets | 1.1.0 |
| Physical And Environmental Protection | PE-17 | Alternate Work Site | Implement controls to secure alternate work sites | 1.1.0 |
| Physical And Environmental Protection | PE-18 | Location Of Information System Components | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Planning | PL-1 | Security Planning Policy And Procedures | Review and update planning policies and procedures | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop and establish a system security plan | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop information security policies and procedures | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop SSP that meets criteria | 1.1.0 |
| Planning | PL-2 | System Security Plan | Establish a privacy program | 1.1.0 |
| Planning | PL-2 | System Security Plan | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Planning | PL-2 | System Security Plan | Implement security engineering principles of information systems | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Develop and establish a system security plan | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Implement security engineering principles of information systems | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Develop acceptable use policies and procedures | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Develop organization code of conduct policy | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Document personnel acceptance of privacy requirements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Enforce rules of behavior and access agreements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Prohibit unfair practices | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Review and sign revised rules of behavior | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update information security policies | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update rules of behavior and access agreements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| Planning | PL-4 (1) | Social Media And Networking Restrictions | Develop acceptable use policies and procedures | 1.1.0 |
| Planning | PL-8 | Information Security Architecture | Develop a concept of operations (CONOPS) | 1.1.0 |
| Planning | PL-8 | Information Security Architecture | Review and update the information security architecture | 1.1.0 |
| Personnel Security | PS-1 | Personnel Security Policy And Procedures | Review and update personnel security policies and procedures | 1.1.0 |
| Personnel Security | PS-2 | Position Risk Designation | Assign risk designations | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Clear personnel with access to classified information | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Implement personnel screening | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Rescreen individuals at a defined frequency | 1.1.0 |
| Personnel Security | PS-3 (3) | Information With Special Protection Measures | Protect special information | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Conduct exit interview upon termination | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Disable authenticators upon termination | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Protect against and prevent data theft from departing employees | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Retain terminated user data | 1.1.0 |
| Personnel Security | PS-4 (2) | Automated Notification | Automate notification of employee termination | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Initiate transfer or reassignment actions | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Modify access authorizations upon personnel transfer | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Reevaluate access upon personnel transfer | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Document organizational access agreements | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Enforce rules of behavior and access agreements | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Ensure access agreements are signed or resigned timely | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Require users to sign access agreement | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Update organizational access agreements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Document third-party personnel security requirements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Establish third-party personnel security requirements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Monitor third-party provider compliance | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Require notification of third-party personnel transfer or termination | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| Personnel Security | PS-8 | Personnel Sanctions | Implement formal sanctions process | 1.1.0 |
| Personnel Security | PS-8 | Personnel Sanctions | Notify personnel upon sanctions | 1.1.0 |
| Risk Assessment | RA-1 | Risk Assessment Policy And Procedures | Review and update risk assessment policies and procedures | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Categorize information | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Develop business classification schemes | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Ensure security categorization is approved | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Review label activity and analytics | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct Risk Assessment | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct risk assessment and distribute its results | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct risk assessment and document its results | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Perform a risk assessment | 1.1.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (1) | Update Tool Capability | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (1) | Update Tool Capability | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (2) | Update By Frequency / Prior To New Scan / When Identified | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (2) | Update By Frequency / Prior To New Scan / When Identified | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (3) | Breadth / Depth Of Coverage | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (3) | Breadth / Depth Of Coverage | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (4) | Discoverable Information | Take action in response to customer information | 1.1.0 |
| Risk Assessment | RA-5 (5) | Privileged Access | Implement privileged access for executing vulnerability scanning activities | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Observe and report security weaknesses | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform a trend analysis on threats | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform threat modeling | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Audit privileged functions | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Audit user account status | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Correlate audit records | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Determine auditable events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Establish requirements for audit review and reporting | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Integrate audit review, analysis, and reporting | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Integrate cloud app security with a siem | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review account provisioning logs | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review administrator assignments weekly | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review audit data | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review cloud identity report overview | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review controlled folder access events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review exploit protection events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review file and folder activity | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review role group changes weekly | 1.1.0 |
| Risk Assessment | RA-5 (10) | Correlate Scanning Information | Correlate Vulnerability scan information | 1.1.1 |
| System And Services Acquisition | SA-1 | System And Services Acquisition Policy And Procedures | Review and update system and services acquisition policies and procedures | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Align business objectives and IT goals | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Allocate resources in determining information system requirements | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Establish a discrete line item in budgeting documentation | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Establish a privacy program | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Govern the allocation of resources | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Secure commitment from leadership | 1.1.0 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Define information security roles and responsibilities | 1.1.0 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Identify individuals with security roles and responsibilities | 1.1.1 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Integrate risk management process into SDLC | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Determine supplier contract obligations | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document acquisition contract acceptance criteria | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document protection of personal data in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document protection of security information in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document requirements for the use of shared data in contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security assurance requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security documentation requirements in acquisition contract | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security functional requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security strength requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document the information system environment in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document the protection of cardholder data in third party contracts | 1.1.0 |
| System And Services Acquisition | SA-4 (1) | Functional Properties Of Security Controls | Obtain functional properties of security controls | 1.1.0 |
| System And Services Acquisition | SA-4 (2) | Design / Implementation Information For Security Controls | Obtain design and implementation information for the security controls | 1.1.1 |
| System And Services Acquisition | SA-4 (8) | Continuous Monitoring Plan | Obtain continuous monitoring plan for security controls | 1.1.0 |
| System And Services Acquisition | SA-4 (9) | Functions / Ports / Protocols / Services In Use | Require developer to identify SDLC ports, protocols, and services | 1.1.0 |
| System And Services Acquisition | SA-4 (10) | Use Of Approved Piv Products | Employ FIPS 201-approved technology for PIV | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Distribute information system documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Document customer-defined actions | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Obtain Admin documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Obtain user security function documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Protect administrator and user documentation | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Define and document government oversight | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Require external service providers to comply with security requirements | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Undergo independent security review | 1.1.0 |
| System And Services Acquisition | SA-9 (1) | Risk Assessments / Organizational Approvals | Assess risk in third party relationships | 1.1.0 |
| System And Services Acquisition | SA-9 (1) | Risk Assessments / Organizational Approvals | Obtain approvals for acquisitions and outsourcing | 1.1.0 |
| System And Services Acquisition | SA-9 (2) | Identification Of Functions / Ports / Protocols / Services | Identify external service providers | 1.1.0 |
| System And Services Acquisition | SA-9 (4) | Consistent Interests Of Consumers And Providers | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| System And Services Acquisition | SA-9 (5) | Processing, Storage, And Service Location | Restrict location of information processing, storage and services | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Address coding vulnerabilities | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Develop and document application security requirements | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Document the information system environment in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Establish a secure software development program | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Perform vulnerability scans | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Remediate information system flaws | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to document approved changes and potential impact | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to implement only approved changes | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to manage change integrity | 1.1.0 |
| System And Services Acquisition | SA-10 (1) | Software / Firmware Integrity Verification | Verify software, firmware and information integrity | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Perform vulnerability scans | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Remediate information system flaws | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| System And Services Acquisition | SA-12 | Supply Chain Protection | Assess risk in third party relationships | 1.1.0 |
| System And Services Acquisition | SA-12 | Supply Chain Protection | Define requirements for supplying goods and services | 1.1.0 |
| System And Services Acquisition | SA-12 | Supply Chain Protection | Determine supplier contract obligations | 1.1.0 |
| System And Services Acquisition | SA-12 | Supply Chain Protection | Establish policies for supply chain risk management | 1.1.0 |
| System And Services Acquisition | SA-15 | Development Process, Standards, And Tools | Review development process, standards and tools | 1.1.0 |
| System And Services Acquisition | SA-16 | Developer-Provided Training | Require developers to provide training | 1.1.0 |
| System And Services Acquisition | SA-17 | Developer Security Architecture And Design | Require developers to build security architecture | 1.1.0 |
| System And Services Acquisition | SA-17 | Developer Security Architecture And Design | Require developers to describe accurate security functionality | 1.1.0 |
| System And Services Acquisition | SA-17 | Developer Security Architecture And Design | Require developers to provide unified security protection approach | 1.1.0 |
| System And Communications Protection | SC-1 | System And Communications Protection Policy And Procedures | Review and update system and communications protection policies and procedures | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Authorize remote access | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Separate user and information system management functionality | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Use dedicated machines for administrative tasks | 1.1.0 |
| System And Communications Protection | SC-3 | Security Function Isolation | Azure Defender for servers should be enabled | 1.0.3 |
| System And Communications Protection | SC-5 | Denial Of Service Protection | Develop and document a DDoS response plan | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Govern the allocation of resources | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Manage availability and capacity | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Secure commitment from leadership | 1.1.0 |
| System And Communications Protection | SC-7 | Boundary Protection | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Implement managed interface for each external service | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Secure the interface to external systems | 1.1.0 |
| System And Communications Protection | SC-7 (7) | Prevent Split Tunneling For Remote Devices | Prevent split tunneling for remote devices | 1.1.0 |
| System And Communications Protection | SC-7 (8) | Route Traffic To Authenticated Proxy Servers | Route traffic through authenticated proxy network | 1.1.0 |
| System And Communications Protection | SC-7 (12) | Host-Based Protection | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (13) | Isolation Of Security Tools / Mechanisms / Support Components | Isolate SecurID systems, Security Incident Management systems | 1.1.0 |
| System And Communications Protection | SC-7 (18) | Fail Secure | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (18) | Fail Secure | Manage transfers between standby and active system components | 1.1.0 |
| System And Communications Protection | SC-7 (20) | Dynamic Isolation / Segregation | Ensure system capable of dynamic isolation of resources | 1.1.0 |
| System And Communications Protection | SC-7 (21) | Isolation Of Information System Components | Employ boundary protection to isolate information systems | 1.1.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Protect data in transit using encryption | 1.1.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Protect passwords with encryption | 1.1.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Configure workstations to check for digital certificates | 1.1.0 |
| System And Communications Protection | SC-10 | Network Disconnect | Reauthenticate or terminate a user session | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define a physical key management process | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define cryptographic use | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define organizational requirements for cryptographic key management | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Determine assertion requirements | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Issue public key certificates | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Manage symmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Restrict access to private keys | 1.1.0 |
| System And Communications Protection | SC-12 (1) | Availability | Maintain availability of information | 1.1.0 |
| System And Communications Protection | SC-12 (2) | Symmetric Keys | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-12 (3) | Asymmetric Keys | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-13 | Cryptographic Protection | Define cryptographic use | 1.1.0 |
| System And Communications Protection | SC-15 | Collaborative Computing Devices | Explicitly notify use of collaborative computing devices | 1.1.1 |
| System And Communications Protection | SC-15 | Collaborative Computing Devices | Prohibit remote activation of collaborative computing devices | 1.1.0 |
| System And Communications Protection | SC-17 | Public Key Infrastructure Certificates | Issue public key certificates | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Establish usage restrictions for mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-19 | Voice Over Internet Protocol | Authorize, monitor, and control voip | 1.1.0 |
| System And Communications Protection | SC-19 | Voice Over Internet Protocol | Establish voip usage restrictions | 1.1.0 |
| System And Communications Protection | SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | Provide secure name and address resolution services | 1.1.0 |
| System And Communications Protection | SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | Verify software, firmware and information integrity | 1.1.0 |
| System And Communications Protection | SC-22 | Architecture And Provisioning For Name / Address Resolution Service | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-23 | Session Authenticity | Configure workstations to check for digital certificates | 1.1.0 |
| System And Communications Protection | SC-23 | Session Authenticity | Enforce random unique session identifiers | 1.1.0 |
| System And Communications Protection | SC-23 (1) | Invalidate Session Identifiers At Logout | Invalidate session identifiers at logout | 1.1.0 |
| System And Communications Protection | SC-24 | Fail In Known State | Ensure information system fails in known state | 1.1.0 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | Establish a data leakage management procedure | 1.1.0 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | Protect special information | 1.1.0 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | Implement controls to secure all media | 1.1.0 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | Protect data in transit using encryption | 1.1.0 |
| System And Communications Protection | SC-39 | Process Isolation | Maintain separate execution domains for running processes | 1.1.0 |
| System And Information Integrity | SI-1 | System And Information Integrity Policy And Procedures | Review and update information integrity policies and procedures | 1.1.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for App Service should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System And Information Integrity | SI-2 | Flaw Remediation | Incorporate flaw remediation into configuration management | 1.1.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Remediate information system flaws | 1.1.0 |
| System And Information Integrity | SI-2 (2) | Automated Flaw Remediation Status | Automate flaw remediation | 1.1.0 |
| System And Information Integrity | SI-2 (2) | Automated Flaw Remediation Status | Remediate information system flaws | 1.1.0 |
| System And Information Integrity | SI-2 (3) | Time To Remediate Flaws / Benchmarks For Corrective Actions | Establish benchmarks for flaw remediation | 1.1.0 |
| System And Information Integrity | SI-2 (3) | Time To Remediate Flaws / Benchmarks For Corrective Actions | Measure the time between flaw identification and flaw remediation | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Review threat protection status weekly | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-3 (1) | Central Management | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System And Information Integrity | SI-4 | Information System Monitoring | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Obtain legal opinion for monitoring system activities | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Provide monitoring information as needed | 1.1.0 |
| System And Information Integrity | SI-4 (2) | Automated Tools For Real-Time Analysis | Document security operations | 1.1.0 |
| System And Information Integrity | SI-4 (2) | Automated Tools For Real-Time Analysis | Turn on sensors for endpoint security solution | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Authorize, monitor, and control voip | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Implement system boundary protection | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Route traffic through managed network access points | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Alert personnel of information spillage | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Develop an incident response plan | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| System And Information Integrity | SI-4 (14) | Wireless Intrusion Detection | Document wireless access security controls | 1.1.0 |
| System And Information Integrity | SI-4 (22) | Unauthorized Network Services | Detect network services that have not been authorized or approved | 1.1.0 |
| System And Information Integrity | SI-4 (24) | Indicators Of Compromise | Discover any indicators of compromise | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Disseminate security alerts to personnel | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Establish a threat intelligence program | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Generate internal security alerts | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Implement security directives | 1.1.0 |
| System And Information Integrity | SI-5 (1) | Automated Alerts And Advisories | Use automated mechanisms for security alerts | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Create alternative actions for identified anomalies | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Notify personnel of any failed security verification tests | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Perform security function verification at a defined frequency | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Verify security functions | 1.1.0 |
| System And Information Integrity | SI-7 | Software, Firmware, And Information Integrity | Verify software, firmware and information integrity | 1.1.0 |
| System And Information Integrity | SI-7 (1) | Integrity Checks | Verify software, firmware and information integrity | 1.1.0 |
| System And Information Integrity | SI-7 (1) | Integrity Checks | View and configure system diagnostic data | 1.1.0 |
| System And Information Integrity | SI-7 (5) | Automated Response To Integrity Violations | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| System And Information Integrity | SI-7 (14) | Binary Or Machine Executable Code | Prohibit binary/machine-executable code | 1.1.0 |
| System And Information Integrity | SI-10 | Information Input Validation | Perform information input validation | 1.1.0 |
| System And Information Integrity | SI-11 | Error Handling | Generate error messages | 1.1.0 |
| System And Information Integrity | SI-11 | Error Handling | Reveal error messages | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Control physical access | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Manage the input, output, processing, and storage of data | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Review label activity and analytics | 1.1.0 |
| System And Information Integrity | SI-16 | Memory Protection | Azure Defender for servers should be enabled | 1.0.3 |
FedRAMP Moderate
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-1 | Access Control Policy And Procedures | Develop access control policies and procedures | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Govern policies and procedures | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Review access control policies and procedures | 1.1.0 |
| Access Control | AC-2 | Account Management | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-2 | Account Management | Assign account managers | 1.1.0 |
| Access Control | AC-2 | Account Management | Audit user account status | 1.1.0 |
| Access Control | AC-2 | Account Management | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Define information system account types | 1.1.0 |
| Access Control | AC-2 | Account Management | Document access privileges | 1.1.0 |
| Access Control | AC-2 | Account Management | Establish conditions for role membership | 1.1.0 |
| Access Control | AC-2 | Account Management | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Monitor account activity | 1.1.0 |
| Access Control | AC-2 | Account Management | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Require approval for account creation | 1.1.0 |
| Access Control | AC-2 | Account Management | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Review account provisioning logs | 1.1.0 |
| Access Control | AC-2 | Account Management | Review user accounts | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Automate account management | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Manage system and admin accounts | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Monitor access across the organization | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Notify when account is not needed | 1.1.0 |
| Access Control | AC-2 (3) | Disable Inactive Accounts | Disable authenticators upon termination | 1.1.0 |
| Access Control | AC-2 (3) | Disable Inactive Accounts | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Audit user account status | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Automate account management | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Manage system and admin accounts | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Monitor access across the organization | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Notify when account is not needed | 1.1.0 |
| Access Control | AC-2 (5) | Inactivity Logout | Define and enforce inactivity log policy | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Audit privileged functions | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Monitor account activity | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Monitor privileged role assignment | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Use privileged identity management | 1.1.0 |
| Access Control | AC-2 (9) | Restrictions On Use Of Shared Groups / Accounts | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Access Control | AC-2 (10) | Shared / Group Account Credential Termination | Terminate customer controlled account credentials | 1.1.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for App Service should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for servers should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Monitor account activity | 1.1.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Report atypical behavior of user accounts | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Authorize access to security functions and information | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Authorize and manage access | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Enforce logical access | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Require approval for account creation | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Review user groups and applications with access to sensitive data | 1.1.0 |
| Access Control | AC-4 | Information Flow Enforcement | Control information flow | 1.1.0 |
| Access Control | AC-4 | Information Flow Enforcement | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Control information flow | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Establish firewall and router configuration standards | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Establish network segmentation for card holder data environment | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Identify and manage downstream information exchanges | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Define access authorizations to support separation of duties | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Document separation of duties | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Separate duties of individuals | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | There should be more than one owner assigned to your subscription | 3.0.0 |
| Access Control | AC-6 | Least Privilege | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-6 | Least Privilege | Design an access control model | 1.1.0 |
| Access Control | AC-6 | Least Privilege | Employ least privilege access | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Authorize access to security functions and information | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Authorize and manage access | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-6 (5) | Privileged Accounts | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Audit privileged functions | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Monitor privileged role assignment | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Use privileged identity management | 1.1.0 |
| Access Control | AC-7 | Unsuccessful Logon Attempts | Enforce a limit of consecutive failed login attempts | 1.1.0 |
| Access Control | AC-10 | Concurrent Session Control | Define and enforce the limit of concurrent sessions | 1.1.0 |
| Access Control | AC-12 | Session Termination | Terminate user session automatically | 1.1.0 |
| Access Control | AC-14 | Permitted Actions Without Identification Or Authentication | Identify actions allowed without authentication | 1.1.0 |
| Access Control | AC-17 | Remote Access | Authorize remote access | 1.1.0 |
| Access Control | AC-17 | Remote Access | Document mobility training | 1.1.0 |
| Access Control | AC-17 | Remote Access | Document remote access guidelines | 1.1.0 |
| Access Control | AC-17 | Remote Access | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | AC-17 | Remote Access | Provide privacy training | 1.1.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | Monitor access across the organization | 1.1.0 |
| Access Control | AC-17 (2) | Protection Of Confidentiality / Integrity Using Encryption | Notify users of system logon or access | 1.1.0 |
| Access Control | AC-17 (2) | Protection Of Confidentiality / Integrity Using Encryption | Protect data in transit using encryption | 1.1.0 |
| Access Control | AC-17 (3) | Managed Access Control Points | Route traffic through managed network access points | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Authorize remote access | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Authorize remote access to privileged commands | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Document remote access guidelines | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Provide privacy training | 1.1.0 |
| Access Control | AC-17 (9) | Disconnect / Disable Access | Provide capability to disconnect or disable remote access | 1.1.0 |
| Access Control | AC-18 | Wireless Access | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | AC-18 | Wireless Access | Protect wireless access | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Identify and authenticate network devices | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Protect wireless access | 1.1.0 |
| Access Control | AC-19 | Access Control For Mobile Devices | Define mobile device requirements | 1.1.0 |
| Access Control | AC-19 (5) | Full Device / Container-Based Encryption | Define mobile device requirements | 1.1.0 |
| Access Control | AC-19 (5) | Full Device / Container-Based Encryption | Protect data in transit using encryption | 1.1.0 |
| Access Control | AC-20 | Use Of External Information Systems | Establish terms and conditions for accessing resources | 1.1.0 |
| Access Control | AC-20 | Use Of External Information Systems | Establish terms and conditions for processing resources | 1.1.0 |
| Access Control | AC-20 (1) | Limits On Authorized Use | Verify security controls for external information systems | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Control use of portable storage devices | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Implement controls to secure all media | 1.1.0 |
| Access Control | AC-21 | Information Sharing | Automate information sharing decisions | 1.1.0 |
| Access Control | AC-21 | Information Sharing | Facilitate information sharing | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Review content prior to posting publicly accessible information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Review publicly accessible content for nonpublic information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Train personnel on disclosure of nonpublic information | 1.1.0 |
| Awareness And Training | AT-1 | Security Awareness And Training Policy And Procedures | Document security and privacy training activities | 1.1.0 |
| Awareness And Training | AT-1 | Security Awareness And Training Policy And Procedures | Update information security policies | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide periodic security awareness training | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide security training for new users | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide updated security awareness training | 1.1.0 |
| Awareness And Training | AT-2 (2) | Insider Threat | Provide security awareness training for insider threats | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide periodic role-based security training | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide role-based security training | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide security training before providing access | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Document security and privacy training activities | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Monitor security and privacy training completion | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Retain training records | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Develop audit and accountability policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Develop information security policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Govern policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Update information security policies | 1.1.0 |
| Audit And Accountability | AU-2 | Audit Events | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-2 (3) | Reviews And Updates | Review and update the events defined in AU-02 | 1.1.0 |
| Audit And Accountability | AU-3 | Content Of Audit Records | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-3 (1) | Additional Audit Information | Configure Azure Audit capabilities | 1.1.1 |
| Audit And Accountability | AU-4 | Audit Storage Capacity | Govern and monitor audit processing activities | 1.1.0 |
| Audit And Accountability | AU-5 | Response To Audit Processing Failures | Govern and monitor audit processing activities | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Establish requirements for audit review and reporting | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review account provisioning logs | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review administrator assignments weekly | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review audit data | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review cloud identity report overview | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review controlled folder access events | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review file and folder activity | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review role group changes weekly | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Establish requirements for audit review and reporting | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review account provisioning logs | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review administrator assignments weekly | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review audit data | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review cloud identity report overview | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review controlled folder access events | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review file and folder activity | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review role group changes weekly | 1.1.0 |
| Audit And Accountability | AU-6 (3) | Correlate Audit Repositories | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 (3) | Correlate Audit Repositories | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-7 | Audit Reduction And Report Generation | Ensure audit records are not altered | 1.1.0 |
| Audit And Accountability | AU-7 | Audit Reduction And Report Generation | Provide audit review, analysis, and reporting capability | 1.1.0 |
| Audit And Accountability | AU-7 (1) | Automatic Processing | Provide capability to process customer-controlled audit records | 1.1.0 |
| Audit And Accountability | AU-8 | Time Stamps | Use system clocks for audit records | 1.1.0 |
| Audit And Accountability | AU-8 (1) | Synchronization With Authoritative Time Source | Use system clocks for audit records | 1.1.0 |
| Audit And Accountability | AU-9 | Protection Of Audit Information | Enable dual or joint authorization | 1.1.0 |
| Audit And Accountability | AU-9 | Protection Of Audit Information | Protect audit information | 1.1.0 |
| Audit And Accountability | AU-9 (2) | Audit Backup On Separate Physical Systems / Components | Establish backup policies and procedures | 1.1.0 |
| Audit And Accountability | AU-9 (4) | Access By Subset Of Privileged Users | Protect audit information | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Adhere to retention periods defined | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Retain security policies and procedures | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Retain terminated user data | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Audit privileged functions | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Audit user account status | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 | Audit Generation | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Review audit data | 1.1.0 |
| Security Assessment And Authorization | CA-1 | Security Assessment And Authorization Policy And Procedures | Review security assessment and authorization policies and procedures | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Assess Security Controls | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Deliver security assessment results | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Develop security assessment plan | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Produce Security Assessment report | 1.1.0 |
| Security Assessment And Authorization | CA-2 (1) | Independent Assessors | Employ independent assessors to conduct security control assessments | 1.1.0 |
| Security Assessment And Authorization | CA-2 (2) | Specialized Assessments | Select additional testing for security control assessments | 1.1.0 |
| Security Assessment And Authorization | CA-2 (3) | External Organizations | Accept assessment results | 1.1.0 |
| Security Assessment And Authorization | CA-3 | System Interconnections | Require interconnection security agreements | 1.1.0 |
| Security Assessment And Authorization | CA-3 | System Interconnections | Update interconnection security agreements | 1.1.0 |
| Security Assessment And Authorization | CA-3 (3) | Unclassified Non-National Security System Connections | Implement system boundary protection | 1.1.0 |
| Security Assessment And Authorization | CA-3 (5) | Restrictions On External System Connections | Employ restrictions on external system interconnections | 1.1.0 |
| Security Assessment And Authorization | CA-5 | Plan Of Action And Milestones | Develop POA&M | 1.1.0 |
| Security Assessment And Authorization | CA-5 | Plan Of Action And Milestones | Update POA&M items | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Assign an authorizing official (AO) | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Ensure resources are authorized | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Update the security authorization | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Configure detection whitelist | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Turn on sensors for endpoint security solution | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Undergo independent security review | 1.1.0 |
| Security Assessment And Authorization | CA-7 (1) | Independent Assessment | Employ independent assessors for continuous monitoring | 1.1.0 |
| Security Assessment And Authorization | CA-8 (1) | Independent Penetration Agent Or Team | Employ independent team for penetration testing | 1.1.0 |
| Security Assessment And Authorization | CA-9 | Internal System Connections | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Configuration Management | CM-1 | Configuration Management Policy And Procedures | Review and update configuration management policies and procedures | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Establish a configuration control board | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Establish a configuration control board | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-2 (3) | Retention Of Previous Configurations | Retain previous versions of baseline configs | 1.1.0 |
| Configuration Management | CM-2 (7) | Configure Systems, Components, Or Devices For High-Risk Areas | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| Configuration Management | CM-2 (7) | Configure Systems, Components, Or Devices For High-Risk Areas | Not allow for information systems to accompany with individuals | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish a risk management strategy | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform a risk assessment | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish a risk management strategy | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform a risk assessment | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-5 | Access Restrictions For Change | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-5 (1) | Automated Access Enforcement / Auditing | Enforce and audit access restrictions | 1.1.0 |
| Configuration Management | CM-5 (3) | Signed Components | Restrict unauthorized software and firmware installation | 1.1.0 |
| Configuration Management | CM-5 (5) | Limit Production / Operational Privileges | Limit privileges to make changes in production environment | 1.1.0 |
| Configuration Management | CM-5 (5) | Limit Production / Operational Privileges | Review and reevaluate privileges | 1.1.0 |
| Configuration Management | CM-6 | Configuration Settings | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-6 | Configuration Settings | Remediate information system flaws | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | Govern compliance of cloud service providers | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | View and configure system diagnostic data | 1.1.0 |
| Configuration Management | CM-7 | Least Functionality | Azure Defender for servers should be enabled | 1.0.3 |
| Configuration Management | CM-8 | Information System Component Inventory | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 | Information System Component Inventory | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | CM-8 (1) | Updates During Installations / Removals | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 (1) | Updates During Installations / Removals | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | CM-8 (3) | Automated Unauthorized Component Detection | Enable detection of network devices | 1.1.0 |
| Configuration Management | CM-8 (3) | Automated Unauthorized Component Detection | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Create configuration plan protection | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop configuration item identification plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop configuration management plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-10 | Software Usage Restrictions | Require compliance with intellectual property rights | 1.1.0 |
| Configuration Management | CM-10 | Software Usage Restrictions | Track software license usage | 1.1.0 |
| Configuration Management | CM-10 (1) | Open Source Software | Restrict use of open source software | 1.1.0 |
| Contingency Planning | CP-1 | Contingency Planning Policy And Procedures | Review and update contingency planning policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Communicate contingency plan changes | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop contingency plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop contingency planning policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Distribute policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Review contingency plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Update contingency plan | 1.1.0 |
| Contingency Planning | CP-2 (1) | Coordinate With Related Plans | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-2 (2) | Capacity Planning | Conduct capacity planning | 1.1.0 |
| Contingency Planning | CP-2 (3) | Resume Essential Missions / Business Functions | Plan for resumption of essential business functions | 1.1.0 |
| Contingency Planning | CP-2 (8) | Identify Critical Assets | Perform a business impact assessment and application criticality assessment | 1.1.0 |
| Contingency Planning | CP-3 | Contingency Training | Provide contingency training | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Initiate contingency plan testing corrective actions | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Review the results of contingency plan testing | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Test the business continuity and disaster recovery plan | 1.1.0 |
| Contingency Planning | CP-4 (1) | Coordinate With Related Plans | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-6 | Alternate Storage Site | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| Contingency Planning | CP-6 | Alternate Storage Site | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| Contingency Planning | CP-6 (1) | Separation From Primary Site | Create separate alternate and primary storage sites | 1.1.0 |
| Contingency Planning | CP-6 (3) | Accessibility | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| Contingency Planning | CP-7 | Alternate Processing Site | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Contingency Planning | CP-7 | Alternate Processing Site | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (1) | Separation From Primary Site | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (2) | Accessibility | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (3) | Priority Of Service | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (3) | Priority Of Service | Establish requirements for internet service providers | 1.1.0 |
| Contingency Planning | CP-8 (1) | Priority Of Service Provisions | Establish requirements for internet service providers | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Conduct backup of information system documentation | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Establish backup policies and procedures | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Implement controls to secure all media | 1.1.0 |
| Contingency Planning | CP-9 (3) | Separate Storage For Critical Information | Separately store backup information | 1.1.0 |
| Contingency Planning | CP-10 | Information System Recovery And Reconstitution | Recover and reconstitute resources after any disruption | 1.1.1 |
| Contingency Planning | CP-10 (2) | Transaction Recovery | Implement transaction based recovery | 1.1.0 |
| Identification And Authentication | IA-1 | Identification And Authentication Policy And Procedures | Review and update identification and authentication policies and procedures | 1.1.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Enforce user uniqueness | 1.1.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (2) | Network Access To Non-Privileged Accounts | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (2) | Network Access To Non-Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (3) | Local Access To Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (5) | Group Authentication | Require use of individual authenticators | 1.1.0 |
| Identification And Authentication | IA-2 (11) | Remote Access - Separate Device | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (11) | Remote Access - Separate Device | Identify and authenticate network devices | 1.1.0 |
| Identification And Authentication | IA-2 (12) | Acceptance Of Piv Credentials | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification And Authentication | IA-4 | Identifier Management | Assign system identifiers | 1.1.0 |
| Identification And Authentication | IA-4 | Identifier Management | Prevent identifier reuse for the defined time period | 1.1.0 |
| Identification And Authentication | IA-4 (4) | Identify User Status | Identify status of individual users | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Establish authenticator types and processes | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Implement training for protecting authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Manage authenticator lifetime and reuse | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Manage Authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Refresh authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Verify identity before distributing authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Document security strength requirements in acquisition contracts | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Establish a password policy | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Implement parameters for memorized secret verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Protect passwords with encryption | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Bind authenticators and identities dynamically | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish authenticator types and processes | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish parameters for searching secret authenticators and verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Map authenticated identities to individuals | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Restrict access to private keys | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Verify identity before distributing authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (3) | In-Person Or Trusted Third-Party Registration | Distribute authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Document security strength requirements in acquisition contracts | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Establish a password policy | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Implement parameters for memorized secret verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (6) | Protection Of Authenticators | Ensure authorized users protect provided authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (7) | No Embedded Unencrypted Static Authenticators | Ensure there are no unencrypted static authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (11) | Hardware Token-Based Authentication | Satisfy token quality requirements | 1.1.0 |
| Identification And Authentication | IA-6 | Authenticator Feedback | Obscure feedback information during authentication process | 1.1.0 |
| Identification And Authentication | IA-7 | Cryptographic Module Authentication | Authenticate to cryptographic module | 1.1.0 |
| Identification And Authentication | IA-8 | Identification And Authentication (Non- Organizational Users) | Identify and authenticate non-organizational users | 1.1.0 |
| Identification And Authentication | IA-8 (1) | Acceptance Of Piv Credentials From Other Agencies | Accept PIV credentials | 1.1.0 |
| Identification And Authentication | IA-8 (2) | Acceptance Of Third-Party Credentials | Accept only FICAM-approved third-party credentials | 1.1.0 |
| Identification And Authentication | IA-8 (3) | Use Of Ficam-Approved Products | Employ FICAM-approved resources to accept third-party credentials | 1.1.0 |
| Identification And Authentication | IA-8 (4) | Use Of Ficam-Issued Profiles | Conform to FICAM-issued profiles | 1.1.0 |
| Incident Response | IR-1 | Incident Response Policy And Procedures | Review and update incident response policies and procedures | 1.1.0 |
| Incident Response | IR-2 | Incident Response Training | Provide information spillage training | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Conduct incident response testing | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Establish an information security program | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Run simulation attacks | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Conduct incident response testing | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Establish an information security program | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Run simulation attacks | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Assess information security events | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-4 | Incident Handling | Coordinate contingency plans with related plans | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Develop security safeguards | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-4 | Incident Handling | Enable network protection | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Maintain incident response plan | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Perform a trend analysis on threats | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-4 | Incident Handling | View and investigate restricted users | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Enable network protection | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Implement incident handling | 1.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-5 | Incident Monitoring | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-6 (1) | Automated Reporting | Document security operations | 1.1.0 |
| Incident Response | IR-7 | Incident Response Assistance | Document security operations | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Enable network protection | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Implement incident handling | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Perform a trend analysis on threats | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | View and investigate restricted users | 1.1.0 |
| Incident Response | IR-7 (2) | Coordination With External Providers | Establish relationship between incident response capability and external providers | 1.1.0 |
| Incident Response | IR-7 (2) | Coordination With External Providers | Identify incident response personnel | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Assess information security events | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Implement incident handling | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Maintain data breach records | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Maintain incident response plan | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Protect incident response plan | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Alert personnel of information spillage | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Identify contaminated systems and components | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Identify spilled information | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Isolate information spills | 1.1.0 |
| Incident Response | IR-9 (1) | Responsible Personnel | Identify incident response personnel | 1.1.0 |
| Incident Response | IR-9 (2) | Training | Provide information spillage training | 1.1.0 |
| Incident Response | IR-9 (3) | Post-Spill Operations | Develop spillage response procedures | 1.1.0 |
| Incident Response | IR-9 (4) | Exposure To Unauthorized Personnel | Develop security safeguards | 1.1.0 |
| Maintenance | MA-1 | System Maintenance Policy And Procedures | Review and update system maintenance policies and procedures | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 | Maintenance Tools | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 | Maintenance Tools | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (1) | Inspect Tools | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (1) | Inspect Tools | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (2) | Inspect Media | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (2) | Inspect Media | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 | Nonlocal Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 (2) | Document Nonlocal Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Designate personnel to supervise unauthorized maintenance activities | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Maintain list of authorized remote maintenance personnel | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Manage maintenance personnel | 1.1.0 |
| Maintenance | MA-5 (1) | Individuals Without Appropriate Access | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-5 (1) | Individuals Without Appropriate Access | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-6 | Timely Maintenance | Provide timely maintenance support | 1.1.0 |
| Media Protection | MP-1 | Media Protection Policy And Procedures | Review and update media protection policies and procedures | 1.1.0 |
| Media Protection | MP-2 | Media Access | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-3 | Media Marking | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-4 | Media Storage | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-4 | Media Storage | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 | Media Transport | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 | Media Transport | Manage the transportation of assets | 1.1.0 |
| Media Protection | MP-5 (4) | Cryptographic Protection | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 (4) | Cryptographic Protection | Manage the transportation of assets | 1.1.0 |
| Media Protection | MP-6 | Media Sanitization | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 | Media Sanitization | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-6 (2) | Equipment Testing | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 (2) | Equipment Testing | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 | Media Use | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | MP-7 | Media Use | Control use of portable storage devices | 1.1.0 |
| Media Protection | MP-7 | Media Use | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 | Media Use | Restrict media use | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Control use of portable storage devices | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Restrict media use | 1.1.0 |
| Physical And Environmental Protection | PE-1 | Physical And Environmental Protection Policy And Procedures | Review and update physical and environmental policies and procedures | 1.1.0 |
| Physical And Environmental Protection | PE-2 | Physical Access Authorizations | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Define a physical key management process | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Establish and maintain an asset inventory | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-4 | Access Control For Transmission Medium | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-4 | Access Control For Transmission Medium | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Manage the input, output, processing, and storage of data | 1.1.0 |
| Physical And Environmental Protection | PE-6 (1) | Intrusion Alarms / Surveillance Equipment | Install an alarm system | 1.1.0 |
| Physical And Environmental Protection | PE-6 (1) | Intrusion Alarms / Surveillance Equipment | Manage a secure surveillance camera system | 1.1.0 |
| Physical And Environmental Protection | PE-8 | Visitor Access Records | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-8 | Visitor Access Records | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-12 | Emergency Lighting | Employ automatic emergency lighting | 1.1.0 |
| Physical And Environmental Protection | PE-13 | Fire Protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-13 (2) | Suppression Devices / Systems | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-13 (3) | Automatic Fire Suppression | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 | Temperature And Humidity Controls | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 (2) | Monitoring With Alarms / Notifications | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 (2) | Monitoring With Alarms / Notifications | Install an alarm system | 1.1.0 |
| Physical And Environmental Protection | PE-15 | Water Damage Protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-16 | Delivery And Removal | Define requirements for managing assets | 1.1.0 |
| Physical And Environmental Protection | PE-16 | Delivery And Removal | Manage the transportation of assets | 1.1.0 |
| Physical And Environmental Protection | PE-17 | Alternate Work Site | Implement controls to secure alternate work sites | 1.1.0 |
| Planning | PL-1 | Security Planning Policy And Procedures | Review and update planning policies and procedures | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop and establish a system security plan | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop information security policies and procedures | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop SSP that meets criteria | 1.1.0 |
| Planning | PL-2 | System Security Plan | Establish a privacy program | 1.1.0 |
| Planning | PL-2 | System Security Plan | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Planning | PL-2 | System Security Plan | Implement security engineering principles of information systems | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Develop and establish a system security plan | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Implement security engineering principles of information systems | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Develop acceptable use policies and procedures | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Develop organization code of conduct policy | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Document personnel acceptance of privacy requirements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Enforce rules of behavior and access agreements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Prohibit unfair practices | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Review and sign revised rules of behavior | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update information security policies | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update rules of behavior and access agreements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| Planning | PL-4 (1) | Social Media And Networking Restrictions | Develop acceptable use policies and procedures | 1.1.0 |
| Planning | PL-8 | Information Security Architecture | Develop a concept of operations (CONOPS) | 1.1.0 |
| Planning | PL-8 | Information Security Architecture | Review and update the information security architecture | 1.1.0 |
| Personnel Security | PS-1 | Personnel Security Policy And Procedures | Review and update personnel security policies and procedures | 1.1.0 |
| Personnel Security | PS-2 | Position Risk Designation | Assign risk designations | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Clear personnel with access to classified information | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Implement personnel screening | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Rescreen individuals at a defined frequency | 1.1.0 |
| Personnel Security | PS-3 (3) | Information With Special Protection Measures | Protect special information | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Conduct exit interview upon termination | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Disable authenticators upon termination | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Protect against and prevent data theft from departing employees | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Retain terminated user data | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Initiate transfer or reassignment actions | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Modify access authorizations upon personnel transfer | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Reevaluate access upon personnel transfer | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Document organizational access agreements | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Enforce rules of behavior and access agreements | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Ensure access agreements are signed or resigned timely | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Require users to sign access agreement | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Update organizational access agreements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Document third-party personnel security requirements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Establish third-party personnel security requirements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Monitor third-party provider compliance | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Require notification of third-party personnel transfer or termination | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| Personnel Security | PS-8 | Personnel Sanctions | Implement formal sanctions process | 1.1.0 |
| Personnel Security | PS-8 | Personnel Sanctions | Notify personnel upon sanctions | 1.1.0 |
| Risk Assessment | RA-1 | Risk Assessment Policy And Procedures | Review and update risk assessment policies and procedures | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Categorize information | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Develop business classification schemes | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Ensure security categorization is approved | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Review label activity and analytics | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct Risk Assessment | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct risk assessment and distribute its results | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct risk assessment and document its results | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Perform a risk assessment | 1.1.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (1) | Update Tool Capability | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (1) | Update Tool Capability | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (2) | Update By Frequency / Prior To New Scan / When Identified | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (2) | Update By Frequency / Prior To New Scan / When Identified | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (3) | Breadth / Depth Of Coverage | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (3) | Breadth / Depth Of Coverage | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (5) | Privileged Access | Implement privileged access for executing vulnerability scanning activities | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Observe and report security weaknesses | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform a trend analysis on threats | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform threat modeling | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Audit privileged functions | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Audit user account status | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Correlate audit records | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Determine auditable events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Establish requirements for audit review and reporting | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Integrate audit review, analysis, and reporting | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Integrate cloud app security with a siem | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review account provisioning logs | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review administrator assignments weekly | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review audit data | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review cloud identity report overview | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review controlled folder access events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review exploit protection events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review file and folder activity | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review role group changes weekly | 1.1.0 |
| System And Services Acquisition | SA-1 | System And Services Acquisition Policy And Procedures | Review and update system and services acquisition policies and procedures | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Align business objectives and IT goals | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Allocate resources in determining information system requirements | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Establish a discrete line item in budgeting documentation | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Establish a privacy program | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Govern the allocation of resources | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Secure commitment from leadership | 1.1.0 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Define information security roles and responsibilities | 1.1.0 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Identify individuals with security roles and responsibilities | 1.1.1 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Integrate risk management process into SDLC | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Determine supplier contract obligations | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document acquisition contract acceptance criteria | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document protection of personal data in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document protection of security information in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document requirements for the use of shared data in contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security assurance requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security documentation requirements in acquisition contract | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security functional requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security strength requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document the information system environment in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document the protection of cardholder data in third party contracts | 1.1.0 |
| System And Services Acquisition | SA-4 (1) | Functional Properties Of Security Controls | Obtain functional properties of security controls | 1.1.0 |
| System And Services Acquisition | SA-4 (2) | Design / Implementation Information For Security Controls | Obtain design and implementation information for the security controls | 1.1.1 |
| System And Services Acquisition | SA-4 (8) | Continuous Monitoring Plan | Obtain continuous monitoring plan for security controls | 1.1.0 |
| System And Services Acquisition | SA-4 (9) | Functions / Ports / Protocols / Services In Use | Require developer to identify SDLC ports, protocols, and services | 1.1.0 |
| System And Services Acquisition | SA-4 (10) | Use Of Approved Piv Products | Employ FIPS 201-approved technology for PIV | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Distribute information system documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Document customer-defined actions | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Obtain Admin documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Obtain user security function documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Protect administrator and user documentation | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Define and document government oversight | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Require external service providers to comply with security requirements | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Undergo independent security review | 1.1.0 |
| System And Services Acquisition | SA-9 (1) | Risk Assessments / Organizational Approvals | Assess risk in third party relationships | 1.1.0 |
| System And Services Acquisition | SA-9 (1) | Risk Assessments / Organizational Approvals | Obtain approvals for acquisitions and outsourcing | 1.1.0 |
| System And Services Acquisition | SA-9 (2) | Identification Of Functions / Ports / Protocols / Services | Identify external service providers | 1.1.0 |
| System And Services Acquisition | SA-9 (4) | Consistent Interests Of Consumers And Providers | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| System And Services Acquisition | SA-9 (5) | Processing, Storage, And Service Location | Restrict location of information processing, storage and services | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Address coding vulnerabilities | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Develop and document application security requirements | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Document the information system environment in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Establish a secure software development program | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Perform vulnerability scans | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Remediate information system flaws | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to document approved changes and potential impact | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to implement only approved changes | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to manage change integrity | 1.1.0 |
| System And Services Acquisition | SA-10 (1) | Software / Firmware Integrity Verification | Verify software, firmware and information integrity | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Perform vulnerability scans | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Remediate information system flaws | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| System And Communications Protection | SC-1 | System And Communications Protection Policy And Procedures | Review and update system and communications protection policies and procedures | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Authorize remote access | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Separate user and information system management functionality | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Use dedicated machines for administrative tasks | 1.1.0 |
| System And Communications Protection | SC-5 | Denial Of Service Protection | Develop and document a DDoS response plan | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Govern the allocation of resources | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Manage availability and capacity | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Secure commitment from leadership | 1.1.0 |
| System And Communications Protection | SC-7 | Boundary Protection | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Implement managed interface for each external service | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Secure the interface to external systems | 1.1.0 |
| System And Communications Protection | SC-7 (7) | Prevent Split Tunneling For Remote Devices | Prevent split tunneling for remote devices | 1.1.0 |
| System And Communications Protection | SC-7 (8) | Route Traffic To Authenticated Proxy Servers | Route traffic through authenticated proxy network | 1.1.0 |
| System And Communications Protection | SC-7 (12) | Host-Based Protection | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (13) | Isolation Of Security Tools / Mechanisms / Support Components | Isolate SecurID systems, Security Incident Management systems | 1.1.0 |
| System And Communications Protection | SC-7 (18) | Fail Secure | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (18) | Fail Secure | Manage transfers between standby and active system components | 1.1.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Protect data in transit using encryption | 1.1.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Protect passwords with encryption | 1.1.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Configure workstations to check for digital certificates | 1.1.0 |
| System And Communications Protection | SC-10 | Network Disconnect | Reauthenticate or terminate a user session | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define a physical key management process | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define cryptographic use | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define organizational requirements for cryptographic key management | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Determine assertion requirements | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Issue public key certificates | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Manage symmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Restrict access to private keys | 1.1.0 |
| System And Communications Protection | SC-12 (2) | Symmetric Keys | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-12 (3) | Asymmetric Keys | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-13 | Cryptographic Protection | Define cryptographic use | 1.1.0 |
| System And Communications Protection | SC-15 | Collaborative Computing Devices | Explicitly notify use of collaborative computing devices | 1.1.1 |
| System And Communications Protection | SC-15 | Collaborative Computing Devices | Prohibit remote activation of collaborative computing devices | 1.1.0 |
| System And Communications Protection | SC-17 | Public Key Infrastructure Certificates | Issue public key certificates | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Establish usage restrictions for mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-19 | Voice Over Internet Protocol | Authorize, monitor, and control voip | 1.1.0 |
| System And Communications Protection | SC-19 | Voice Over Internet Protocol | Establish voip usage restrictions | 1.1.0 |
| System And Communications Protection | SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | Provide secure name and address resolution services | 1.1.0 |
| System And Communications Protection | SC-21 | Secure Name /Address Resolution Service (Recursive Or Caching Resolver) | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-21 | Secure Name /Address Resolution Service (Recursive Or Caching Resolver) | Verify software, firmware and information integrity | 1.1.0 |
| System And Communications Protection | SC-22 | Architecture And Provisioning For Name/Address Resolution Service | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-23 | Session Authenticity | Configure workstations to check for digital certificates | 1.1.0 |
| System And Communications Protection | SC-23 | Session Authenticity | Enforce random unique session identifiers | 1.1.0 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | Establish a data leakage management procedure | 1.1.0 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | Protect special information | 1.1.0 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | Implement controls to secure all media | 1.1.0 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | Protect data in transit using encryption | 1.1.0 |
| System And Communications Protection | SC-39 | Process Isolation | Maintain separate execution domains for running processes | 1.1.0 |
| System And Information Integrity | SI-1 | System And Information Integrity Policy And Procedures | Review and update information integrity policies and procedures | 1.1.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for App Service should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System And Information Integrity | SI-2 | Flaw Remediation | Incorporate flaw remediation into configuration management | 1.1.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Remediate information system flaws | 1.1.0 |
| System And Information Integrity | SI-2 (2) | Automated Flaw Remediation Status | Automate flaw remediation | 1.1.0 |
| System And Information Integrity | SI-2 (2) | Automated Flaw Remediation Status | Remediate information system flaws | 1.1.0 |
| System And Information Integrity | SI-2 (3) | Time To Remediate Flaws / Benchmarks For Corrective Actions | Establish benchmarks for flaw remediation | 1.1.0 |
| System And Information Integrity | SI-2 (3) | Time To Remediate Flaws / Benchmarks For Corrective Actions | Measure the time between flaw identification and flaw remediation | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Review threat protection status weekly | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-3 (1) | Central Management | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System And Information Integrity | SI-4 | Information System Monitoring | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Obtain legal opinion for monitoring system activities | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Provide monitoring information as needed | 1.1.0 |
| System And Information Integrity | SI-4 (2) | Automated Tools For Real-Time Analysis | Document security operations | 1.1.0 |
| System And Information Integrity | SI-4 (2) | Automated Tools For Real-Time Analysis | Turn on sensors for endpoint security solution | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Authorize, monitor, and control voip | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Implement system boundary protection | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Route traffic through managed network access points | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Alert personnel of information spillage | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Develop an incident response plan | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| System And Information Integrity | SI-4 (14) | Wireless Intrusion Detection | Document wireless access security controls | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Disseminate security alerts to personnel | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Establish a threat intelligence program | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Generate internal security alerts | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Implement security directives | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Create alternative actions for identified anomalies | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Notify personnel of any failed security verification tests | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Perform security function verification at a defined frequency | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Verify security functions | 1.1.0 |
| System And Information Integrity | SI-7 | Software, Firmware, And Information Integrity | Verify software, firmware and information integrity | 1.1.0 |
| System And Information Integrity | SI-7 (1) | Integrity Checks | Verify software, firmware and information integrity | 1.1.0 |
| System And Information Integrity | SI-7 (1) | Integrity Checks | View and configure system diagnostic data | 1.1.0 |
| System And Information Integrity | SI-10 | Information Input Validation | Perform information input validation | 1.1.0 |
| System And Information Integrity | SI-11 | Error Handling | Generate error messages | 1.1.0 |
| System And Information Integrity | SI-11 | Error Handling | Reveal error messages | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Control physical access | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Manage the input, output, processing, and storage of data | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Review label activity and analytics | 1.1.0 |
| System And Information Integrity | SI-16 | Memory Protection | Azure Defender for servers should be enabled | 1.0.3 |
HIPAA HITRUST 9.2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Privilege Management | 1154.01c3System.4 - 01.c | Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| User Authentication for External Connections | 1117.01j1Organizational.23 - 01.j | Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| User Authentication for External Connections | 1173.01j1Organizational.6 - 01.j | If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| User Authentication for External Connections | 1174.01j1Organizational.7 - 01.j | The organization protects wireless access to systems containing sensitive information by authenticating both users and devices. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| User Authentication for External Connections | 1176.01j2Organizational.5 - 01.j | The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| User Authentication for External Connections | 1177.01j2Organizational.6 - 01.j | User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| User Identification and Authentication | 11110.01q1Organizational.6 - 01.q | Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| User Identification and Authentication | 11208.01q1Organizational.8 - 01.q | The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else. | There should be more than one owner assigned to your subscription | 3.0.0 |
| 01 Information Protection Program | 0101.00a1Organizational.123-00.a | 0101.00a1Organizational.123-00.a 0.01 Information Security Management Program | Develop a concept of operations (CONOPS) | 1.1.0 |
| 01 Information Protection Program | 0101.00a1Organizational.123-00.a | 0101.00a1Organizational.123-00.a 0.01 Information Security Management Program | Establish an information security program | 1.1.0 |
| 01 Information Protection Program | 0101.00a1Organizational.123-00.a | 0101.00a1Organizational.123-00.a 0.01 Information Security Management Program | Protect the information security program plan | 1.1.0 |
| 01 Information Protection Program | 0101.00a1Organizational.123-00.a | 0101.00a1Organizational.123-00.a 0.01 Information Security Management Program | Review and update the information security architecture | 1.1.0 |
| 01 Information Protection Program | 0101.00a1Organizational.123-00.a | 0101.00a1Organizational.123-00.a 0.01 Information Security Management Program | Update information security policies | 1.1.0 |
| 01 Information Protection Program | 0102.00a2Organizational.123-00.a | 0102.00a2Organizational.123-00.a 0.01 Information Security Management Program | Establish an information security program | 1.1.0 |
| 01 Information Protection Program | 0102.00a2Organizational.123-00.a | 0102.00a2Organizational.123-00.a 0.01 Information Security Management Program | Review and update the information security architecture | 1.1.0 |
| 01 Information Protection Program | 0102.00a2Organizational.123-00.a | 0102.00a2Organizational.123-00.a 0.01 Information Security Management Program | Update information security policies | 1.1.0 |
| 01 Information Protection Program | 0103.00a3Organizational.1234567-00.a | 0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program | Develop and establish a system security plan | 1.1.0 |
| 01 Information Protection Program | 0103.00a3Organizational.1234567-00.a | 0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 01 Information Protection Program | 0103.00a3Organizational.1234567-00.a | 0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program | Implement security engineering principles of information systems | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Define information security roles and responsibilities | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Develop acceptable use policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Develop organization code of conduct policy | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Document personnel acceptance of privacy requirements | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Enforce rules of behavior and access agreements | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Identify individuals with security roles and responsibilities | 1.1.1 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Prohibit unfair practices | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Provide periodic role-based security training | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Provide role-based security training | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Provide security training before providing access | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Review and sign revised rules of behavior | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Update information security policies | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Update rules of behavior and access agreements | 1.1.0 |
| 01 Information Protection Program | 0104.02a1Organizational.12-02.a | 0104.02a1Organizational.12-02.a 02.01 Prior to Employment | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 01 Information Protection Program | 0105.02a2Organizational.1-02.a | 0105.02a2Organizational.1-02.a 02.01 Prior to Employment | Assign risk designations | 1.1.0 |
| 01 Information Protection Program | 0105.02a2Organizational.1-02.a | 0105.02a2Organizational.1-02.a 02.01 Prior to Employment | Clear personnel with access to classified information | 1.1.0 |
| 01 Information Protection Program | 0105.02a2Organizational.1-02.a | 0105.02a2Organizational.1-02.a 02.01 Prior to Employment | Implement personnel screening | 1.1.0 |
| 01 Information Protection Program | 0105.02a2Organizational.1-02.a | 0105.02a2Organizational.1-02.a 02.01 Prior to Employment | Monitor third-party provider compliance | 1.1.0 |
| 01 Information Protection Program | 0105.02a2Organizational.1-02.a | 0105.02a2Organizational.1-02.a 02.01 Prior to Employment | Protect special information | 1.1.0 |
| 01 Information Protection Program | 0105.02a2Organizational.1-02.a | 0105.02a2Organizational.1-02.a 02.01 Prior to Employment | Rescreen individuals at a defined frequency | 1.1.0 |
| 01 Information Protection Program | 0106.02a2Organizational.23-02.a | 0106.02a2Organizational.23-02.a 02.01 Prior to Employment | Clear personnel with access to classified information | 1.1.0 |
| 01 Information Protection Program | 0106.02a2Organizational.23-02.a | 0106.02a2Organizational.23-02.a 02.01 Prior to Employment | Implement personnel screening | 1.1.0 |
| 01 Information Protection Program | 0106.02a2Organizational.23-02.a | 0106.02a2Organizational.23-02.a 02.01 Prior to Employment | Protect special information | 1.1.0 |
| 01 Information Protection Program | 0106.02a2Organizational.23-02.a | 0106.02a2Organizational.23-02.a 02.01 Prior to Employment | Rescreen individuals at a defined frequency | 1.1.0 |
| 01 Information Protection Program | 0107.02d1Organizational.1-02.d | 0107.02d1Organizational.1-02.d 02.03 During Employment | Establish information security workforce development and improvement program | 1.1.0 |
| 01 Information Protection Program | 0108.02d1Organizational.23-02.d | 0108.02d1Organizational.23-02.d 02.03 During Employment | Document security and privacy training activities | 1.1.0 |
| 01 Information Protection Program | 0108.02d1Organizational.23-02.d | 0108.02d1Organizational.23-02.d 02.03 During Employment | Implement security testing, training, and monitoring plans | 1.1.0 |
| 01 Information Protection Program | 0108.02d1Organizational.23-02.d | 0108.02d1Organizational.23-02.d 02.03 During Employment | Monitor security and privacy training completion | 1.1.0 |
| 01 Information Protection Program | 0108.02d1Organizational.23-02.d | 0108.02d1Organizational.23-02.d 02.03 During Employment | Provide periodic role-based security training | 1.1.0 |
| 01 Information Protection Program | 0108.02d1Organizational.23-02.d | 0108.02d1Organizational.23-02.d 02.03 During Employment | Provide security training before providing access | 1.1.0 |
| 01 Information Protection Program | 0108.02d1Organizational.23-02.d | 0108.02d1Organizational.23-02.d 02.03 During Employment | Require developers to provide training | 1.1.0 |
| 01 Information Protection Program | 0108.02d1Organizational.23-02.d | 0108.02d1Organizational.23-02.d 02.03 During Employment | Retain training records | 1.1.0 |
| 01 Information Protection Program | 0108.02d1Organizational.23-02.d | 0108.02d1Organizational.23-02.d 02.03 During Employment | Review security testing, training, and monitoring plans | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Develop acceptable use policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Develop organization code of conduct policy | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Document personnel acceptance of privacy requirements | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Enforce rules of behavior and access agreements | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Implement formal sanctions process | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Notify personnel upon sanctions | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Prohibit unfair practices | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide periodic role-based security training | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide periodic security awareness training | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide role-based practical exercises | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide role-based security training | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide role-based training on suspicious activities | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide security awareness training for insider threats | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide security training before providing access | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide security training for new users | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Provide updated security awareness training | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Review and sign revised rules of behavior | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Update information security policies | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Update rules of behavior and access agreements | 1.1.0 |
| 01 Information Protection Program | 0109.02d1Organizational.4-02.d | 0109.02d1Organizational.4-02.d 02.03 During Employment | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 01 Information Protection Program | 0110.02d2Organizational.1-02.d | 0110.02d2Organizational.1-02.d 02.03 During Employment | Appoint a senior information security officer | 1.1.0 |
| 01 Information Protection Program | 0110.02d2Organizational.1-02.d | 0110.02d2Organizational.1-02.d 02.03 During Employment | Establish information security workforce development and improvement program | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Document third-party personnel security requirements | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Establish third-party personnel security requirements | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Monitor third-party provider compliance | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Provide periodic security awareness training | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Provide security awareness training for insider threats | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Provide security training for new users | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Provide updated security awareness training | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Require notification of third-party personnel transfer or termination | 1.1.0 |
| 01 Information Protection Program | 0111.02d2Organizational.2-02.d | 0111.02d2Organizational.2-02.d 02.03 During Employment | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 01 Information Protection Program | 01110.05a1Organizational.5-05.a | 01110.05a1Organizational.5-05.a 05.01 Internal Organization | Appoint a senior information security officer | 1.1.0 |
| 01 Information Protection Program | 01110.05a1Organizational.5-05.a | 01110.05a1Organizational.5-05.a 05.01 Internal Organization | Document third-party personnel security requirements | 1.1.0 |
| 01 Information Protection Program | 01110.05a1Organizational.5-05.a | 01110.05a1Organizational.5-05.a 05.01 Internal Organization | Establish third-party personnel security requirements | 1.1.0 |
| 01 Information Protection Program | 01110.05a1Organizational.5-05.a | 01110.05a1Organizational.5-05.a 05.01 Internal Organization | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 01 Information Protection Program | 01111.05a2Organizational.5-05.a | 01111.05a2Organizational.5-05.a 05.01 Internal Organization | Appoint a senior information security officer | 1.1.0 |
| 01 Information Protection Program | 0112.02d2Organizational.3-02.d | 0112.02d2Organizational.3-02.d 02.03 During Employment | Develop acceptable use policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0112.02d2Organizational.3-02.d | 0112.02d2Organizational.3-02.d 02.03 During Employment | Enforce appropriate usage of all accounts | 1.1.0 |
| 01 Information Protection Program | 0112.02d2Organizational.3-02.d | 0112.02d2Organizational.3-02.d 02.03 During Employment | Enforce rules of behavior and access agreements | 1.1.0 |
| 01 Information Protection Program | 0112.02d2Organizational.3-02.d | 0112.02d2Organizational.3-02.d 02.03 During Employment | Establish usage restrictions for mobile code technologies | 1.1.0 |
| 01 Information Protection Program | 0112.02d2Organizational.3-02.d | 0112.02d2Organizational.3-02.d 02.03 During Employment | Monitor account activity | 1.1.0 |
| 01 Information Protection Program | 0112.02d2Organizational.3-02.d | 0112.02d2Organizational.3-02.d 02.03 During Employment | Require compliance with intellectual property rights | 1.1.0 |
| 01 Information Protection Program | 0112.02d2Organizational.3-02.d | 0112.02d2Organizational.3-02.d 02.03 During Employment | Track software license usage | 1.1.0 |
| 01 Information Protection Program | 0113.04a1Organizational.123-04.a | 0113.04a1Organizational.123-04.a 04.01 Information Security Policy | Establish an information security program | 1.1.0 |
| 01 Information Protection Program | 0113.04a1Organizational.123-04.a | 0113.04a1Organizational.123-04.a 04.01 Information Security Policy | Protect the information security program plan | 1.1.0 |
| 01 Information Protection Program | 0113.04a1Organizational.123-04.a | 0113.04a1Organizational.123-04.a 04.01 Information Security Policy | Update information security policies | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Develop audit and accountability policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Develop information security policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Establish an information security program | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Govern policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Review access control policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Review and update system and services acquisition policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Review and update system maintenance policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0114.04b1Organizational.1-04.b | 0114.04b1Organizational.1-04.b 04.01 Information Security Policy | Update information security policies | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Develop audit and accountability policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Develop information security policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Govern policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review access control policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update configuration management policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update contingency planning policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update identification and authentication policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update incident response policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update information integrity policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update media protection policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update personnel security policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update physical and environmental policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update planning policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update risk assessment policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update system and communications protection policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update system and services acquisition policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review and update system maintenance policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Review security assessment and authorization policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0115.04b2Organizational.123-04.b | 0115.04b2Organizational.123-04.b 04.01 Information Security Policy | Update information security policies | 1.1.0 |
| 01 Information Protection Program | 0116.04b3Organizational.1-04.b | 0116.04b3Organizational.1-04.b 04.01 Information Security Policy | Review and update configuration management policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0116.04b3Organizational.1-04.b | 0116.04b3Organizational.1-04.b 04.01 Information Security Policy | Review and update information integrity policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0116.04b3Organizational.1-04.b | 0116.04b3Organizational.1-04.b 04.01 Information Security Policy | Review and update planning policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0116.04b3Organizational.1-04.b | 0116.04b3Organizational.1-04.b 04.01 Information Security Policy | Review and update system maintenance policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0117.05a1Organizational.1-05.a | 0117.05a1Organizational.1-05.a 05.01 Internal Organization | Appoint a senior information security officer | 1.1.0 |
| 01 Information Protection Program | 0118.05a1Organizational.2-05.a | 0118.05a1Organizational.2-05.a 05.01 Internal Organization | Appoint a senior information security officer | 1.1.0 |
| 01 Information Protection Program | 0118.05a1Organizational.2-05.a | 0118.05a1Organizational.2-05.a 05.01 Internal Organization | Develop and establish a system security plan | 1.1.0 |
| 01 Information Protection Program | 0118.05a1Organizational.2-05.a | 0118.05a1Organizational.2-05.a 05.01 Internal Organization | Establish a privacy program | 1.1.0 |
| 01 Information Protection Program | 0118.05a1Organizational.2-05.a | 0118.05a1Organizational.2-05.a 05.01 Internal Organization | Establish an information security program | 1.1.0 |
| 01 Information Protection Program | 0118.05a1Organizational.2-05.a | 0118.05a1Organizational.2-05.a 05.01 Internal Organization | Establish information security workforce development and improvement program | 1.1.0 |
| 01 Information Protection Program | 0118.05a1Organizational.2-05.a | 0118.05a1Organizational.2-05.a 05.01 Internal Organization | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 01 Information Protection Program | 0118.05a1Organizational.2-05.a | 0118.05a1Organizational.2-05.a 05.01 Internal Organization | Implement security engineering principles of information systems | 1.1.0 |
| 01 Information Protection Program | 0118.05a1Organizational.2-05.a | 0118.05a1Organizational.2-05.a 05.01 Internal Organization | Update information security policies | 1.1.0 |
| 01 Information Protection Program | 0119.05a1Organizational.3-05.a | 0119.05a1Organizational.3-05.a 05.01 Internal Organization | Develop and establish a system security plan | 1.1.0 |
| 01 Information Protection Program | 0119.05a1Organizational.3-05.a | 0119.05a1Organizational.3-05.a 05.01 Internal Organization | Develop information security policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0119.05a1Organizational.3-05.a | 0119.05a1Organizational.3-05.a 05.01 Internal Organization | Develop SSP that meets criteria | 1.1.0 |
| 01 Information Protection Program | 0119.05a1Organizational.3-05.a | 0119.05a1Organizational.3-05.a 05.01 Internal Organization | Establish a privacy program | 1.1.0 |
| 01 Information Protection Program | 0119.05a1Organizational.3-05.a | 0119.05a1Organizational.3-05.a 05.01 Internal Organization | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 01 Information Protection Program | 0119.05a1Organizational.3-05.a | 0119.05a1Organizational.3-05.a 05.01 Internal Organization | Implement security engineering principles of information systems | 1.1.0 |
| 01 Information Protection Program | 0120.05a1Organizational.4-05.a | 0120.05a1Organizational.4-05.a 05.01 Internal Organization | Align business objectives and IT goals | 1.1.0 |
| 01 Information Protection Program | 0120.05a1Organizational.4-05.a | 0120.05a1Organizational.4-05.a 05.01 Internal Organization | Allocate resources in determining information system requirements | 1.1.0 |
| 01 Information Protection Program | 0120.05a1Organizational.4-05.a | 0120.05a1Organizational.4-05.a 05.01 Internal Organization | Employ business case to record the resources required | 1.1.0 |
| 01 Information Protection Program | 0120.05a1Organizational.4-05.a | 0120.05a1Organizational.4-05.a 05.01 Internal Organization | Ensure capital planning and investment requests include necessary resources | 1.1.0 |
| 01 Information Protection Program | 0120.05a1Organizational.4-05.a | 0120.05a1Organizational.4-05.a 05.01 Internal Organization | Establish a discrete line item in budgeting documentation | 1.1.0 |
| 01 Information Protection Program | 0120.05a1Organizational.4-05.a | 0120.05a1Organizational.4-05.a 05.01 Internal Organization | Establish a privacy program | 1.1.0 |
| 01 Information Protection Program | 0120.05a1Organizational.4-05.a | 0120.05a1Organizational.4-05.a 05.01 Internal Organization | Govern the allocation of resources | 1.1.0 |
| 01 Information Protection Program | 0120.05a1Organizational.4-05.a | 0120.05a1Organizational.4-05.a 05.01 Internal Organization | Secure commitment from leadership | 1.1.0 |
| 01 Information Protection Program | 0121.05a2Organizational.12-05.a | 0121.05a2Organizational.12-05.a 05.01 Internal Organization | Conduct Risk Assessment | 1.1.0 |
| 01 Information Protection Program | 0121.05a2Organizational.12-05.a | 0121.05a2Organizational.12-05.a 05.01 Internal Organization | Conduct risk assessment and distribute its results | 1.1.0 |
| 01 Information Protection Program | 0121.05a2Organizational.12-05.a | 0121.05a2Organizational.12-05.a 05.01 Internal Organization | Conduct risk assessment and document its results | 1.1.0 |
| 01 Information Protection Program | 0121.05a2Organizational.12-05.a | 0121.05a2Organizational.12-05.a 05.01 Internal Organization | Establish a risk management strategy | 1.1.0 |
| 01 Information Protection Program | 0121.05a2Organizational.12-05.a | 0121.05a2Organizational.12-05.a 05.01 Internal Organization | Implement the risk management strategy | 1.1.0 |
| 01 Information Protection Program | 0121.05a2Organizational.12-05.a | 0121.05a2Organizational.12-05.a 05.01 Internal Organization | Review and update risk assessment policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0122.05a2Organizational.3-05.a | 0122.05a2Organizational.3-05.a 05.01 Internal Organization | Define information security roles and responsibilities | 1.1.0 |
| 01 Information Protection Program | 0122.05a2Organizational.3-05.a | 0122.05a2Organizational.3-05.a 05.01 Internal Organization | Identify individuals with security roles and responsibilities | 1.1.1 |
| 01 Information Protection Program | 0122.05a2Organizational.3-05.a | 0122.05a2Organizational.3-05.a 05.01 Internal Organization | Provide periodic role-based security training | 1.1.0 |
| 01 Information Protection Program | 0122.05a2Organizational.3-05.a | 0122.05a2Organizational.3-05.a 05.01 Internal Organization | Provide role-based security training | 1.1.0 |
| 01 Information Protection Program | 0122.05a2Organizational.3-05.a | 0122.05a2Organizational.3-05.a 05.01 Internal Organization | Provide security training before providing access | 1.1.0 |
| 01 Information Protection Program | 0122.05a2Organizational.3-05.a | 0122.05a2Organizational.3-05.a 05.01 Internal Organization | Provide security training for new users | 1.1.0 |
| 01 Information Protection Program | 0123.05a2Organizational.4-05.a | 0123.05a2Organizational.4-05.a 05.01 Internal Organization | Establish a privacy program | 1.1.0 |
| 01 Information Protection Program | 0123.05a2Organizational.4-05.a | 0123.05a2Organizational.4-05.a 05.01 Internal Organization | Manage contacts for authorities and special interest groups | 1.1.0 |
| 01 Information Protection Program | 0124.05a3Organizational.1-05.a | 0124.05a3Organizational.1-05.a 05.01 Internal Organization | Appoint a senior information security officer | 1.1.0 |
| 01 Information Protection Program | 0124.05a3Organizational.1-05.a | 0124.05a3Organizational.1-05.a 05.01 Internal Organization | Document security and privacy training activities | 1.1.0 |
| 01 Information Protection Program | 0125.05a3Organizational.2-05.a | 0125.05a3Organizational.2-05.a 05.01 Internal Organization | Accept assessment results | 1.1.0 |
| 01 Information Protection Program | 0125.05a3Organizational.2-05.a | 0125.05a3Organizational.2-05.a 05.01 Internal Organization | Assess Security Controls | 1.1.0 |
| 01 Information Protection Program | 0125.05a3Organizational.2-05.a | 0125.05a3Organizational.2-05.a 05.01 Internal Organization | Conduct Risk Assessment | 1.1.0 |
| 01 Information Protection Program | 0125.05a3Organizational.2-05.a | 0125.05a3Organizational.2-05.a 05.01 Internal Organization | Conduct risk assessment and distribute its results | 1.1.0 |
| 01 Information Protection Program | 0125.05a3Organizational.2-05.a | 0125.05a3Organizational.2-05.a 05.01 Internal Organization | Conduct risk assessment and document its results | 1.1.0 |
| 01 Information Protection Program | 0125.05a3Organizational.2-05.a | 0125.05a3Organizational.2-05.a 05.01 Internal Organization | Develop security assessment plan | 1.1.0 |
| 01 Information Protection Program | 0125.05a3Organizational.2-05.a | 0125.05a3Organizational.2-05.a 05.01 Internal Organization | Employ independent assessors to conduct security control assessments | 1.1.0 |
| 01 Information Protection Program | 0125.05a3Organizational.2-05.a | 0125.05a3Organizational.2-05.a 05.01 Internal Organization | Perform a risk assessment | 1.1.0 |
| 01 Information Protection Program | 0135.02f1Organizational.56-02.f | 0135.02f1Organizational.56-02.f 02.03 During Employment | Establish information security workforce development and improvement program | 1.1.0 |
| 01 Information Protection Program | 0135.02f1Organizational.56-02.f | 0135.02f1Organizational.56-02.f 02.03 During Employment | Implement formal sanctions process | 1.1.0 |
| 01 Information Protection Program | 0135.02f1Organizational.56-02.f | 0135.02f1Organizational.56-02.f 02.03 During Employment | Notify personnel upon sanctions | 1.1.0 |
| 01 Information Protection Program | 0135.02f1Organizational.56-02.f | 0135.02f1Organizational.56-02.f 02.03 During Employment | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0137.02a1Organizational.3-02.a | 0137.02a1Organizational.3-02.a 02.01 Prior to Employment | Review and update personnel security policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0162.04b1Organizational.2-04.b | 0162.04b1Organizational.2-04.b 04.01 Information Security Policy | Develop and establish a system security plan | 1.1.0 |
| 01 Information Protection Program | 0162.04b1Organizational.2-04.b | 0162.04b1Organizational.2-04.b 04.01 Information Security Policy | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 01 Information Protection Program | 0162.04b1Organizational.2-04.b | 0162.04b1Organizational.2-04.b 04.01 Information Security Policy | Implement security engineering principles of information systems | 1.1.0 |
| 01 Information Protection Program | 0162.04b1Organizational.2-04.b | 0162.04b1Organizational.2-04.b 04.01 Information Security Policy | Review and update information integrity policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0165.05a3Organizational.3-05.a | 0165.05a3Organizational.3-05.a 05.01 Internal Organization | Review and update planning policies and procedures | 1.1.0 |
| 01 Information Protection Program | 0177.05h1Organizational.12-05.h | 0177.05h1Organizational.12-05.h 05.01 Internal Organization | Accept assessment results | 1.1.0 |
| 01 Information Protection Program | 0177.05h1Organizational.12-05.h | 0177.05h1Organizational.12-05.h 05.01 Internal Organization | Assess Security Controls | 1.1.0 |
| 01 Information Protection Program | 0177.05h1Organizational.12-05.h | 0177.05h1Organizational.12-05.h 05.01 Internal Organization | Develop security assessment plan | 1.1.0 |
| 01 Information Protection Program | 0177.05h1Organizational.12-05.h | 0177.05h1Organizational.12-05.h 05.01 Internal Organization | Employ independent assessors to conduct security control assessments | 1.1.0 |
| 01 Information Protection Program | 0177.05h1Organizational.12-05.h | 0177.05h1Organizational.12-05.h 05.01 Internal Organization | Select additional testing for security control assessments | 1.1.0 |
| 01 Information Protection Program | 0178.05h1Organizational.3-05.h | 0178.05h1Organizational.3-05.h 05.01 Internal Organization | Assess Security Controls | 1.1.0 |
| 01 Information Protection Program | 0178.05h1Organizational.3-05.h | 0178.05h1Organizational.3-05.h 05.01 Internal Organization | Deliver security assessment results | 1.1.0 |
| 01 Information Protection Program | 0178.05h1Organizational.3-05.h | 0178.05h1Organizational.3-05.h 05.01 Internal Organization | Produce Security Assessment report | 1.1.0 |
| 01 Information Protection Program | 0179.05h1Organizational.4-05.h | 0179.05h1Organizational.4-05.h 05.01 Internal Organization | Develop POA&M | 1.1.0 |
| 01 Information Protection Program | 0179.05h1Organizational.4-05.h | 0179.05h1Organizational.4-05.h 05.01 Internal Organization | Establish a risk management strategy | 1.1.0 |
| 01 Information Protection Program | 0179.05h1Organizational.4-05.h | 0179.05h1Organizational.4-05.h 05.01 Internal Organization | Implement plans of action and milestones for security program process | 1.1.0 |
| 01 Information Protection Program | 0180.05h2Organizational.1-05.h | 0180.05h2Organizational.1-05.h 05.01 Internal Organization | Assess Security Controls | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Detect network services that have not been authorized or approved | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Document wireless access security controls | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Observe and report security weaknesses | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Perform threat modeling | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Remediate information system flaws | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0201.09j1Organizational.124-09.j | 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Adjust level of audit review, analysis, and reporting | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Correlate audit records | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Establish requirements for audit review and reporting | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Govern and monitor audit processing activities | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Integrate Audit record analysis | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Integrate audit review, analysis, and reporting | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Integrate cloud app security with a siem | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Review account provisioning logs | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Review administrator assignments weekly | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Review audit data | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Review cloud identity report overview | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Review controlled folder access events | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Review file and folder activity | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Review role group changes weekly | 1.1.0 |
| 02 Endpoint Protection | 0202.09j1Organizational.3-09.j | 0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code | Specify permitted actions associated with customer audit information | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Create alternative actions for identified anomalies | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Notify personnel of any failed security verification tests | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Perform security function verification at a defined frequency | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0204.09j2Organizational.1-09.j | 0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code | Verify security functions | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Alert personnel of information spillage | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Develop an incident response plan | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 02 Endpoint Protection | 0205.09j2Organizational.2-09.j | 0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0206.09j2Organizational.34-09.j | 0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0206.09j2Organizational.34-09.j | 0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0206.09j2Organizational.34-09.j | 0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0206.09j2Organizational.34-09.j | 0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0206.09j2Organizational.34-09.j | 0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0206.09j2Organizational.34-09.j | 0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0207.09j2Organizational.56-09.j | 0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0207.09j2Organizational.56-09.j | 0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0207.09j2Organizational.56-09.j | 0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0207.09j2Organizational.56-09.j | 0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0207.09j2Organizational.56-09.j | 0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0207.09j2Organizational.56-09.j | 0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0207.09j2Organizational.56-09.j | 0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0208.09j2Organizational.7-09.j | 0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code | Authorize remote access | 1.1.0 |
| 02 Endpoint Protection | 0208.09j2Organizational.7-09.j | 0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code | Employ boundary protection to isolate information systems | 1.1.0 |
| 02 Endpoint Protection | 0208.09j2Organizational.7-09.j | 0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code | Separate user and information system management functionality | 1.1.0 |
| 02 Endpoint Protection | 0208.09j2Organizational.7-09.j | 0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code | Use dedicated machines for administrative tasks | 1.1.0 |
| 02 Endpoint Protection | 0209.09m3Organizational.7-09.m | 0209.09m3Organizational.7-09.m 09.06 Network Security Management | Automate information sharing decisions | 1.1.0 |
| 02 Endpoint Protection | 0209.09m3Organizational.7-09.m | 0209.09m3Organizational.7-09.m 09.06 Network Security Management | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| 02 Endpoint Protection | 0209.09m3Organizational.7-09.m | 0209.09m3Organizational.7-09.m 09.06 Network Security Management | Facilitate information sharing | 1.1.0 |
| 02 Endpoint Protection | 0209.09m3Organizational.7-09.m | 0209.09m3Organizational.7-09.m 09.06 Network Security Management | Record disclosures of PII to third parties | 1.1.0 |
| 02 Endpoint Protection | 0209.09m3Organizational.7-09.m | 0209.09m3Organizational.7-09.m 09.06 Network Security Management | Train staff on PII sharing and its consequences | 1.1.0 |
| 02 Endpoint Protection | 0209.09m3Organizational.7-09.m | 0209.09m3Organizational.7-09.m 09.06 Network Security Management | Verify software, firmware and information integrity | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Design an access control model | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Employ least privilege access | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Limit privileges to make changes in production environment | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Provide periodic security awareness training | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Provide security training for new users | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Provide updated security awareness training | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0214.09j1Organizational.6-09.j | 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0215.09j2Organizational.8-09.j | 0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0215.09j2Organizational.8-09.j | 0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0215.09j2Organizational.8-09.j | 0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0215.09j2Organizational.8-09.j | 0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0215.09j2Organizational.8-09.j | 0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0215.09j2Organizational.8-09.j | 0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0215.09j2Organizational.8-09.j | 0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Correlate audit records | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Establish requirements for audit review and reporting | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Integrate audit review, analysis, and reporting | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Integrate cloud app security with a siem | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Remediate information system flaws | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Review account provisioning logs | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Review administrator assignments weekly | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Review audit data | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Review cloud identity report overview | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Review controlled folder access events | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Review file and folder activity | 1.1.0 |
| 02 Endpoint Protection | 0216.09j2Organizational.9-09.j | 0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code | Review role group changes weekly | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Audit privileged functions | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Audit user account status | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Correlate audit records | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Determine auditable events | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Establish requirements for audit review and reporting | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Integrate audit review, analysis, and reporting | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Integrate cloud app security with a siem | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Observe and report security weaknesses | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Perform threat modeling | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Remediate information system flaws | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review account provisioning logs | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review administrator assignments weekly | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review audit data | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review cloud identity report overview | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review controlled folder access events | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review exploit protection events | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review file and folder activity | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review role group changes weekly | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0217.09j2Organizational.10-09.j | 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0219.09j2Organizational.12-09.j | 0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0219.09j2Organizational.12-09.j | 0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0219.09j2Organizational.12-09.j | 0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0219.09j2Organizational.12-09.j | 0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0219.09j2Organizational.12-09.j | 0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0219.09j2Organizational.12-09.j | 0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0219.09j2Organizational.12-09.j | 0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Establish usage restrictions for mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0225.09k1Organizational.1-09.k | 0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Establish usage restrictions for mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0226.09k1Organizational.2-09.k | 0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Authorize access to security functions and information | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Authorize and manage access | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Define mobile device requirements | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Enforce logical access | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Establish usage restrictions for mobile code technologies | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Manage gateways | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Perform a trend analysis on threats | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Protect data in transit using encryption | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Require approval for account creation | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Review malware detections report weekly | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Review user groups and applications with access to sensitive data | 1.1.0 |
| 02 Endpoint Protection | 0227.09k2Organizational.12-09.k | 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code | Update antivirus definitions | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Automate process to highlight unreviewed change proposals | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Conduct a security impact analysis | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Enforce security configuration settings | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Establish and document change control processes | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Establish configuration management requirements for developers | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Govern compliance of cloud service providers | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Perform a privacy impact assessment | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Perform audit for configuration change control | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Perform vulnerability scans | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | Remediate information system flaws | 1.1.0 |
| 02 Endpoint Protection | 0228.09k2Organizational.3-09.k | 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code | View and configure system diagnostic data | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Control maintenance and repair activities | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Control use of portable storage devices | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Define mobile device requirements | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Document and implement wireless access guidelines | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Employ a media sanitization mechanism | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Implement controls to secure all media | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Manage the transportation of assets | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Protect data in transit using encryption | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Protect wireless access | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Restrict media use | 1.1.0 |
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Review and update media protection policies and procedures | 1.1.0 |
| 03 Portable Media Security | 0302.09o2Organizational.1-09.o | 0302.09o2Organizational.1-09.o 09.07 Media Handling | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 03 Portable Media Security | 0302.09o2Organizational.1-09.o | 0302.09o2Organizational.1-09.o 09.07 Media Handling | Control use of portable storage devices | 1.1.0 |
| 03 Portable Media Security | 0302.09o2Organizational.1-09.o | 0302.09o2Organizational.1-09.o 09.07 Media Handling | Employ a media sanitization mechanism | 1.1.0 |
| 03 Portable Media Security | 0302.09o2Organizational.1-09.o | 0302.09o2Organizational.1-09.o 09.07 Media Handling | Implement controls to secure all media | 1.1.0 |
| 03 Portable Media Security | 0302.09o2Organizational.1-09.o | 0302.09o2Organizational.1-09.o 09.07 Media Handling | Manage the transportation of assets | 1.1.0 |
| 03 Portable Media Security | 0302.09o2Organizational.1-09.o | 0302.09o2Organizational.1-09.o 09.07 Media Handling | Restrict media use | 1.1.0 |
| 03 Portable Media Security | 0303.09o2Organizational.2-09.o | 0303.09o2Organizational.2-09.o 09.07 Media Handling | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 03 Portable Media Security | 0303.09o2Organizational.2-09.o | 0303.09o2Organizational.2-09.o 09.07 Media Handling | Control use of portable storage devices | 1.1.0 |
| 03 Portable Media Security | 0303.09o2Organizational.2-09.o | 0303.09o2Organizational.2-09.o 09.07 Media Handling | Employ a media sanitization mechanism | 1.1.0 |
| 03 Portable Media Security | 0303.09o2Organizational.2-09.o | 0303.09o2Organizational.2-09.o 09.07 Media Handling | Implement controls to secure all media | 1.1.0 |
| 03 Portable Media Security | 0303.09o2Organizational.2-09.o | 0303.09o2Organizational.2-09.o 09.07 Media Handling | Manage the transportation of assets | 1.1.0 |
| 03 Portable Media Security | 0303.09o2Organizational.2-09.o | 0303.09o2Organizational.2-09.o 09.07 Media Handling | Restrict media use | 1.1.0 |
| 03 Portable Media Security | 0304.09o3Organizational.1-09.o | 0304.09o3Organizational.1-09.o 09.07 Media Handling | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 03 Portable Media Security | 0304.09o3Organizational.1-09.o | 0304.09o3Organizational.1-09.o 09.07 Media Handling | Control use of portable storage devices | 1.1.0 |
| 03 Portable Media Security | 0304.09o3Organizational.1-09.o | 0304.09o3Organizational.1-09.o 09.07 Media Handling | Employ a media sanitization mechanism | 1.1.0 |
| 03 Portable Media Security | 0304.09o3Organizational.1-09.o | 0304.09o3Organizational.1-09.o 09.07 Media Handling | Implement controls to secure all media | 1.1.0 |
| 03 Portable Media Security | 0304.09o3Organizational.1-09.o | 0304.09o3Organizational.1-09.o 09.07 Media Handling | Restrict media use | 1.1.0 |
| 03 Portable Media Security | 0305.09q1Organizational.12-09.q | 0305.09q1Organizational.12-09.q 09.07 Media Handling | Control maintenance and repair activities | 1.1.0 |
| 03 Portable Media Security | 0305.09q1Organizational.12-09.q | 0305.09q1Organizational.12-09.q 09.07 Media Handling | Control use of portable storage devices | 1.1.0 |
| 03 Portable Media Security | 0305.09q1Organizational.12-09.q | 0305.09q1Organizational.12-09.q 09.07 Media Handling | Employ a media sanitization mechanism | 1.1.0 |
| 03 Portable Media Security | 0305.09q1Organizational.12-09.q | 0305.09q1Organizational.12-09.q 09.07 Media Handling | Implement controls to secure all media | 1.1.0 |
| 03 Portable Media Security | 0305.09q1Organizational.12-09.q | 0305.09q1Organizational.12-09.q 09.07 Media Handling | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 03 Portable Media Security | 0305.09q1Organizational.12-09.q | 0305.09q1Organizational.12-09.q 09.07 Media Handling | Manage the transportation of assets | 1.1.0 |
| 03 Portable Media Security | 0305.09q1Organizational.12-09.q | 0305.09q1Organizational.12-09.q 09.07 Media Handling | Restrict media use | 1.1.0 |
| 03 Portable Media Security | 0306.09q1Organizational.3-09.q | 0306.09q1Organizational.3-09.q 09.07 Media Handling | Automate information sharing decisions | 1.1.0 |
| 03 Portable Media Security | 0306.09q1Organizational.3-09.q | 0306.09q1Organizational.3-09.q 09.07 Media Handling | Ensure authorized users protect provided authenticators | 1.1.0 |
| 03 Portable Media Security | 0306.09q1Organizational.3-09.q | 0306.09q1Organizational.3-09.q 09.07 Media Handling | Ensure there are no unencrypted static authenticators | 1.1.0 |
| 03 Portable Media Security | 0306.09q1Organizational.3-09.q | 0306.09q1Organizational.3-09.q 09.07 Media Handling | Facilitate information sharing | 1.1.0 |
| 03 Portable Media Security | 0306.09q1Organizational.3-09.q | 0306.09q1Organizational.3-09.q 09.07 Media Handling | Implement controls to secure all media | 1.1.0 |
| 03 Portable Media Security | 0306.09q1Organizational.3-09.q | 0306.09q1Organizational.3-09.q 09.07 Media Handling | Implement training for protecting authenticators | 1.1.0 |
| 03 Portable Media Security | 0307.09q2Organizational.12-09.q | 0307.09q2Organizational.12-09.q 09.07 Media Handling | Control information flow | 1.1.0 |
| 03 Portable Media Security | 0307.09q2Organizational.12-09.q | 0307.09q2Organizational.12-09.q 09.07 Media Handling | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 03 Portable Media Security | 0308.09q3Organizational.1-09.q | 0308.09q3Organizational.1-09.q 09.07 Media Handling | Employ a media sanitization mechanism | 1.1.0 |
| 03 Portable Media Security | 0308.09q3Organizational.1-09.q | 0308.09q3Organizational.1-09.q 09.07 Media Handling | Implement controls to secure all media | 1.1.0 |
| 03 Portable Media Security | 0308.09q3Organizational.1-09.q | 0308.09q3Organizational.1-09.q 09.07 Media Handling | Manage the transportation of assets | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Define a physical key management process | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Define cryptographic use | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Define organizational requirements for cryptographic key management | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Determine assertion requirements | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Implement controls to secure all media | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Issue public key certificates | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Manage symmetric cryptographic keys | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Manage the transportation of assets | 1.1.0 |
| 03 Portable Media Security | 0314.09q3Organizational.2-09.q | 0314.09q3Organizational.2-09.q 09.07 Media Handling | Restrict access to private keys | 1.1.0 |
| 04 Mobile Device Security | 0401.01x1System.124579-01.x | 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| 04 Mobile Device Security | 0401.01x1System.124579-01.x | 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| 04 Mobile Device Security | 0401.01x1System.124579-01.x | 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0401.01x1System.124579-01.x | 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking | Establish usage restrictions for mobile code technologies | 1.1.0 |
| 04 Mobile Device Security | 0401.01x1System.124579-01.x | 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking | Implement system boundary protection | 1.1.0 |
| 04 Mobile Device Security | 0401.01x1System.124579-01.x | 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking | Prohibit remote activation of collaborative computing devices | 1.1.0 |
| 04 Mobile Device Security | 0401.01x1System.124579-01.x | 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking | Protect data in transit using encryption | 1.1.0 |
| 04 Mobile Device Security | 0403.01x1System.8-01.x | 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0403.01x1System.8-01.x | 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking | Employ a media sanitization mechanism | 1.1.0 |
| 04 Mobile Device Security | 0403.01x1System.8-01.x | 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| 04 Mobile Device Security | 0403.01x1System.8-01.x | 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking | Implement controls to secure all media | 1.1.0 |
| 04 Mobile Device Security | 0403.01x1System.8-01.x | 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking | Manage the transportation of assets | 1.1.0 |
| 04 Mobile Device Security | 0403.01x1System.8-01.x | 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking | Not allow for information systems to accompany with individuals | 1.1.0 |
| 04 Mobile Device Security | 0403.01x1System.8-01.x | 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking | Protect data in transit using encryption | 1.1.0 |
| 04 Mobile Device Security | 0405.01y1Organizational.12345678-01.y | 0405.01y1Organizational.12345678-01.y 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0407.01y2Organizational.1-01.y | 0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0407.01y2Organizational.1-01.y | 0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking | Implement controls to secure alternate work sites | 1.1.0 |
| 04 Mobile Device Security | 0408.01y3Organizational.12-01.y | 0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking | Control maintenance and repair activities | 1.1.0 |
| 04 Mobile Device Security | 0408.01y3Organizational.12-01.y | 0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking | Employ a media sanitization mechanism | 1.1.0 |
| 04 Mobile Device Security | 0408.01y3Organizational.12-01.y | 0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking | Implement controls to secure all media | 1.1.0 |
| 04 Mobile Device Security | 0408.01y3Organizational.12-01.y | 0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 04 Mobile Device Security | 0408.01y3Organizational.12-01.y | 0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 04 Mobile Device Security | 0409.01y3Organizational.3-01.y | 0409.01y3Organizational.3-01.y 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0410.01x1System.12-01.xMobileComputingandCommunications | 0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0410.01x1System.12-01.xMobileComputingandCommunications | 0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking | Protect data in transit using encryption | 1.1.0 |
| 04 Mobile Device Security | 0415.01y1Organizational.10-01.y | 0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking | Control maintenance and repair activities | 1.1.0 |
| 04 Mobile Device Security | 0415.01y1Organizational.10-01.y | 0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0415.01y1Organizational.10-01.y | 0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking | Employ a media sanitization mechanism | 1.1.0 |
| 04 Mobile Device Security | 0415.01y1Organizational.10-01.y | 0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking | Implement controls to secure all media | 1.1.0 |
| 04 Mobile Device Security | 0415.01y1Organizational.10-01.y | 0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 04 Mobile Device Security | 0416.01y3Organizational.4-01.y | 0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking | Control maintenance and repair activities | 1.1.0 |
| 04 Mobile Device Security | 0416.01y3Organizational.4-01.y | 0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0416.01y3Organizational.4-01.y | 0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 04 Mobile Device Security | 0416.01y3Organizational.4-01.y | 0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking | Protect data in transit using encryption | 1.1.0 |
| 04 Mobile Device Security | 0417.01y3Organizational.5-01.y | 0417.01y3Organizational.5-01.y 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0425.01x1System.13-01.x | 0425.01x1System.13-01.x 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0426.01x2System.1-01.x | 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0426.01x2System.1-01.x | 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking | Employ a media sanitization mechanism | 1.1.0 |
| 04 Mobile Device Security | 0426.01x2System.1-01.x | 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| 04 Mobile Device Security | 0426.01x2System.1-01.x | 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking | Implement controls to secure all media | 1.1.0 |
| 04 Mobile Device Security | 0426.01x2System.1-01.x | 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking | Manage the transportation of assets | 1.1.0 |
| 04 Mobile Device Security | 0426.01x2System.1-01.x | 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking | Not allow for information systems to accompany with individuals | 1.1.0 |
| 04 Mobile Device Security | 0426.01x2System.1-01.x | 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking | Protect data in transit using encryption | 1.1.0 |
| 04 Mobile Device Security | 0427.01x2System.2-01.x | 0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0427.01x2System.2-01.x | 0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| 04 Mobile Device Security | 0427.01x2System.2-01.x | 0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking | Not allow for information systems to accompany with individuals | 1.1.0 |
| 04 Mobile Device Security | 0427.01x2System.2-01.x | 0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking | Protect data in transit using encryption | 1.1.0 |
| 04 Mobile Device Security | 0428.01x2System.3-01.x | 0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0428.01x2System.3-01.x | 0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| 04 Mobile Device Security | 0428.01x2System.3-01.x | 0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking | Not allow for information systems to accompany with individuals | 1.1.0 |
| 04 Mobile Device Security | 0428.01x2System.3-01.x | 0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking | Protect data in transit using encryption | 1.1.0 |
| 04 Mobile Device Security | 0429.01x1System.14-01.x | 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking | Control use of portable storage devices | 1.1.0 |
| 04 Mobile Device Security | 0429.01x1System.14-01.x | 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking | Define mobile device requirements | 1.1.0 |
| 04 Mobile Device Security | 0429.01x1System.14-01.x | 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| 04 Mobile Device Security | 0429.01x1System.14-01.x | 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking | Implement controls to secure all media | 1.1.0 |
| 04 Mobile Device Security | 0429.01x1System.14-01.x | 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking | Not allow for information systems to accompany with individuals | 1.1.0 |
| 04 Mobile Device Security | 0429.01x1System.14-01.x | 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking | Protect data in transit using encryption | 1.1.0 |
| 04 Mobile Device Security | 0429.01x1System.14-01.x | 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking | Restrict media use | 1.1.0 |
| 05 Wireless Security | 0504.09m2Organizational.5-09.m | 0504.09m2Organizational.5-09.m 09.06 Network Security Management | Document and implement wireless access guidelines | 1.1.0 |
| 05 Wireless Security | 0504.09m2Organizational.5-09.m | 0504.09m2Organizational.5-09.m 09.06 Network Security Management | Document wireless access security controls | 1.1.0 |
| 05 Wireless Security | 0504.09m2Organizational.5-09.m | 0504.09m2Organizational.5-09.m 09.06 Network Security Management | Identify and authenticate network devices | 1.1.0 |
| 05 Wireless Security | 0504.09m2Organizational.5-09.m | 0504.09m2Organizational.5-09.m 09.06 Network Security Management | Protect wireless access | 1.1.0 |
| 05 Wireless Security | 0505.09m2Organizational.3-09.m | 0505.09m2Organizational.3-09.m 09.06 Network Security Management | Adopt biometric authentication mechanisms | 1.1.0 |
| 05 Wireless Security | 0505.09m2Organizational.3-09.m | 0505.09m2Organizational.3-09.m 09.06 Network Security Management | Define requirements for managing assets | 1.1.0 |
| 05 Wireless Security | 0505.09m2Organizational.3-09.m | 0505.09m2Organizational.3-09.m 09.06 Network Security Management | Document wireless access security controls | 1.1.0 |
| 05 Wireless Security | 0505.09m2Organizational.3-09.m | 0505.09m2Organizational.3-09.m 09.06 Network Security Management | Employ a media sanitization mechanism | 1.1.0 |
| 05 Wireless Security | 0505.09m2Organizational.3-09.m | 0505.09m2Organizational.3-09.m 09.06 Network Security Management | Implement controls to secure all media | 1.1.0 |
| 05 Wireless Security | 0505.09m2Organizational.3-09.m | 0505.09m2Organizational.3-09.m 09.06 Network Security Management | Install an alarm system | 1.1.0 |
| 05 Wireless Security | 0505.09m2Organizational.3-09.m | 0505.09m2Organizational.3-09.m 09.06 Network Security Management | Manage a secure surveillance camera system | 1.1.0 |
| 05 Wireless Security | 0505.09m2Organizational.3-09.m | 0505.09m2Organizational.3-09.m 09.06 Network Security Management | Manage the transportation of assets | 1.1.0 |
| 06 Configuration Management | 0601.06g1Organizational.124-06.g | 0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Assess Security Controls | 1.1.0 |
| 06 Configuration Management | 0601.06g1Organizational.124-06.g | 0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Deliver security assessment results | 1.1.0 |
| 06 Configuration Management | 0601.06g1Organizational.124-06.g | 0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Develop POA&M | 1.1.0 |
| 06 Configuration Management | 0601.06g1Organizational.124-06.g | 0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Develop security assessment plan | 1.1.0 |
| 06 Configuration Management | 0601.06g1Organizational.124-06.g | 0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Produce Security Assessment report | 1.1.0 |
| 06 Configuration Management | 0601.06g1Organizational.124-06.g | 0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Update POA&M items | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Conduct Risk Assessment | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Deliver security assessment results | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Develop configuration management plan | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Develop POA&M | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Produce Security Assessment report | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Require developers to document approved changes and potential impact | 1.1.0 |
| 06 Configuration Management | 0602.06g1Organizational.3-06.g | 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Update POA&M items | 1.1.0 |
| 06 Configuration Management | 0603.06g2Organizational.1-06.g | 0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0603.06g2Organizational.1-06.g | 0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Govern compliance of cloud service providers | 1.1.0 |
| 06 Configuration Management | 0603.06g2Organizational.1-06.g | 0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Perform vulnerability scans | 1.1.0 |
| 06 Configuration Management | 0603.06g2Organizational.1-06.g | 0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0603.06g2Organizational.1-06.g | 0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Verify software, firmware and information integrity | 1.1.0 |
| 06 Configuration Management | 0603.06g2Organizational.1-06.g | 0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | View and configure system diagnostic data | 1.1.0 |
| 06 Configuration Management | 0604.06g2Organizational.2-06.g | 0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Analyse data obtained from continuous monitoring | 1.1.0 |
| 06 Configuration Management | 0604.06g2Organizational.2-06.g | 0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Configure detection whitelist | 1.1.0 |
| 06 Configuration Management | 0604.06g2Organizational.2-06.g | 0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Develop security assessment plan | 1.1.0 |
| 06 Configuration Management | 0604.06g2Organizational.2-06.g | 0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Employ independent assessors for continuous monitoring | 1.1.0 |
| 06 Configuration Management | 0604.06g2Organizational.2-06.g | 0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Employ independent assessors to conduct security control assessments | 1.1.0 |
| 06 Configuration Management | 0604.06g2Organizational.2-06.g | 0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Turn on sensors for endpoint security solution | 1.1.0 |
| 06 Configuration Management | 0604.06g2Organizational.2-06.g | 0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Undergo independent security review | 1.1.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Limit privileges to make changes in production environment | 1.1.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Review and reevaluate privileges | 1.1.0 |
| 06 Configuration Management | 0613.06h1Organizational.12-06.h | 0613.06h1Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Perform vulnerability scans | 1.1.0 |
| 06 Configuration Management | 0613.06h1Organizational.12-06.h | 0613.06h1Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0614.06h2Organizational.12-06.h | 0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Assess Security Controls | 1.1.0 |
| 06 Configuration Management | 0614.06h2Organizational.12-06.h | 0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Deliver security assessment results | 1.1.0 |
| 06 Configuration Management | 0614.06h2Organizational.12-06.h | 0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Develop security assessment plan | 1.1.0 |
| 06 Configuration Management | 0614.06h2Organizational.12-06.h | 0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Produce Security Assessment report | 1.1.0 |
| 06 Configuration Management | 0614.06h2Organizational.12-06.h | 0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0614.06h2Organizational.12-06.h | 0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Select additional testing for security control assessments | 1.1.0 |
| 06 Configuration Management | 0615.06h2Organizational.3-06.h | 0615.06h2Organizational.3-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Automate approval request for proposed changes | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Automate implementation of approved change notifications | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Conduct a security impact analysis | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Develop and maintain a vulnerability management standard | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Establish a risk management strategy | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Govern compliance of cloud service providers | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Perform a privacy impact assessment | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Perform a risk assessment | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Require developers to document approved changes and potential impact | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Require developers to manage change integrity | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | Retain previous versions of baseline configs | 1.1.0 |
| 06 Configuration Management | 0618.09b1System.1-09.b | 0618.09b1System.1-09.b 09.01 Documented Operating Procedures | View and configure system diagnostic data | 1.1.0 |
| 06 Configuration Management | 0626.10h1System.3-10.h | 0626.10h1System.3-10.h 10.04 Security of System Files | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| 06 Configuration Management | 0626.10h1System.3-10.h | 0626.10h1System.3-10.h 10.04 Security of System Files | Verify software, firmware and information integrity | 1.1.0 |
| 06 Configuration Management | 0626.10h1System.3-10.h | 0626.10h1System.3-10.h 10.04 Security of System Files | View and configure system diagnostic data | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Configure actions for noncompliant devices | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Develop and maintain baseline configurations | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Establish a configuration control board | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Establish and document a configuration management plan | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Implement an automated configuration management tool | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Not allow for information systems to accompany with individuals | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Retain previous versions of baseline configs | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | Verify software, firmware and information integrity | 1.1.0 |
| 06 Configuration Management | 0627.10h1System.45-10.h | 0627.10h1System.45-10.h 10.04 Security of System Files | View and configure system diagnostic data | 1.1.0 |
| 06 Configuration Management | 0628.10h1System.6-10.h | 0628.10h1System.6-10.h 10.04 Security of System Files | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| 06 Configuration Management | 0628.10h1System.6-10.h | 0628.10h1System.6-10.h 10.04 Security of System Files | Incorporate flaw remediation into configuration management | 1.1.0 |
| 06 Configuration Management | 0628.10h1System.6-10.h | 0628.10h1System.6-10.h 10.04 Security of System Files | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0628.10h1System.6-10.h | 0628.10h1System.6-10.h 10.04 Security of System Files | Verify software, firmware and information integrity | 1.1.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Incorporate flaw remediation into configuration management | 1.1.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Manage gateways | 1.1.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Perform a trend analysis on threats | 1.1.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Review development process, standards and tools | 1.1.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Review malware detections report weekly | 1.1.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Review threat protection status weekly | 1.1.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Update antivirus definitions | 1.1.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Create configuration plan protection | 1.1.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Develop and maintain baseline configurations | 1.1.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Develop configuration item identification plan | 1.1.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Develop configuration management plan | 1.1.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Establish and document a configuration management plan | 1.1.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Implement an automated configuration management tool | 1.1.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Review and update configuration management policies and procedures | 1.1.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Create configuration plan protection | 1.1.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Develop and maintain baseline configurations | 1.1.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Develop configuration item identification plan | 1.1.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Develop configuration management plan | 1.1.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Establish and document a configuration management plan | 1.1.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Implement an automated configuration management tool | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Automate implementation of approved change notifications | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Automate process to document implemented changes | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Automate process to highlight unreviewed change proposals | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Automate proposed documented changes | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Conduct a security impact analysis | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Develop and maintain a vulnerability management standard | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Establish a risk management strategy | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Perform a privacy impact assessment | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Perform a risk assessment | 1.1.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Configure actions for noncompliant devices | 1.1.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Develop and maintain baseline configurations | 1.1.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Establish a configuration control board | 1.1.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Establish and document a configuration management plan | 1.1.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Implement an automated configuration management tool | 1.1.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Address coding vulnerabilities | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Determine supplier contract obligations | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Develop and document application security requirements | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document acquisition contract acceptance criteria | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document protection of personal data in acquisition contracts | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document protection of security information in acquisition contracts | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document requirements for the use of shared data in contracts | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document security documentation requirements in acquisition contract | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document security functional requirements in acquisition contracts | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document security strength requirements in acquisition contracts | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document the information system environment in acquisition contracts | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Establish a secure software development program | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Require developers to document approved changes and potential impact | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Require developers to manage change integrity | 1.1.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Conduct a security impact analysis | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Develop and establish a system security plan | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Develop and maintain a vulnerability management standard | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Establish a risk management strategy | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Implement security engineering principles of information systems | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Perform a privacy impact assessment | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Perform a risk assessment | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Review development process, standards and tools | 1.1.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Configure actions for noncompliant devices | 1.1.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Develop and maintain baseline configurations | 1.1.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Establish a configuration control board | 1.1.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Establish and document a configuration management plan | 1.1.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Implement an automated configuration management tool | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Conduct a security impact analysis | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Configure actions for noncompliant devices | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Develop and maintain a vulnerability management standard | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Develop and maintain baseline configurations | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Establish a configuration control board | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Establish a risk management strategy | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Establish and document a configuration management plan | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Implement an automated configuration management tool | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Perform a privacy impact assessment | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Perform a risk assessment | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Retain previous versions of baseline configs | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Assign account managers | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Audit user account status | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Define and enforce conditions for shared and group accounts | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Define information system account types | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Develop configuration item identification plan | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Develop configuration management plan | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Document access privileges | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Establish conditions for role membership | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Govern compliance of cloud service providers | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Monitor account activity | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Notify Account Managers of customer controlled accounts | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Reissue authenticators for changed groups and accounts | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Require approval for account creation | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Restrict access to privileged accounts | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Review account provisioning logs | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Review user accounts | 1.1.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | View and configure system diagnostic data | 1.1.0 |
| 06 Configuration Management | 0662.09sCSPOrganizational.2-09.s | 0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information | Employ independent assessors to conduct security control assessments | 1.1.0 |
| 06 Configuration Management | 0662.09sCSPOrganizational.2-09.s | 0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information | Select additional testing for security control assessments | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Audit privileged functions | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Audit user account status | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Detect network services that have not been authorized or approved | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Determine auditable events | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Document wireless access security controls | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Implement system boundary protection | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Manage gateways | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Perform a trend analysis on threats | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Review audit data | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Review malware detections report weekly | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Review threat protection status weekly | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Update antivirus definitions | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | Verify software, firmware and information integrity | 1.1.0 |
| 06 Configuration Management | 0663.10h1System.7-10.h | 0663.10h1System.7-10.h 10.04 Security of System Files | View and configure system diagnostic data | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Address coding vulnerabilities | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Configure actions for noncompliant devices | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Develop and document application security requirements | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Develop and maintain baseline configurations | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Develop configuration item identification plan | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Develop configuration management plan | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Document the information system environment in acquisition contracts | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Establish a configuration control board | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Establish a secure software development program | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Establish and document a configuration management plan | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Implement an automated configuration management tool | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0669.10hCSPSystem.1-10.h | 0669.10hCSPSystem.1-10.h 10.04 Security of System Files | Require developers to manage change integrity | 1.1.0 |
| 06 Configuration Management | 0670.10hCSPSystem.2-10.h | 0670.10hCSPSystem.2-10.h 10.04 Security of System Files | Adhere to retention periods defined | 1.1.0 |
| 06 Configuration Management | 0670.10hCSPSystem.2-10.h | 0670.10hCSPSystem.2-10.h 10.04 Security of System Files | Perform disposition review | 1.1.0 |
| 06 Configuration Management | 0670.10hCSPSystem.2-10.h | 0670.10hCSPSystem.2-10.h 10.04 Security of System Files | Verify personal data is deleted at the end of processing | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Address coding vulnerabilities | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Automate implementation of approved change notifications | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Automate process to highlight unreviewed change proposals | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Automate proposed documented changes | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Develop and document application security requirements | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Document the information system environment in acquisition contracts | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Enforce security configuration settings | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Establish a secure software development program | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Remediate information system flaws | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Require developers to document approved changes and potential impact | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Require developers to implement only approved changes | 1.1.0 |
| 06 Configuration Management | 0671.10k1System.1-10.k | 0671.10k1System.1-10.k 10.05 Security In Development and Support Processes | Require developers to manage change integrity | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Conduct a security impact analysis | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Develop and maintain a vulnerability management standard | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Establish a risk management strategy | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Establish and document change control processes | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Establish configuration management requirements for developers | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Perform a privacy impact assessment | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Perform a risk assessment | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Perform audit for configuration change control | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Prohibit binary/machine-executable code | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | Verify software, firmware and information integrity | 1.1.0 |
| 06 Configuration Management | 0672.10k3System.5-10.k | 0672.10k3System.5-10.k 10.05 Security In Development and Support Processes | View and configure system diagnostic data | 1.1.0 |
| 06 Configuration Management | 068.06g2Organizational.34-06.g | 068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Assess Security Controls | 1.1.0 |
| 06 Configuration Management | 068.06g2Organizational.34-06.g | 068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Deliver security assessment results | 1.1.0 |
| 06 Configuration Management | 068.06g2Organizational.34-06.g | 068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Develop security assessment plan | 1.1.0 |
| 06 Configuration Management | 068.06g2Organizational.34-06.g | 068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Employ independent assessors for continuous monitoring | 1.1.0 |
| 06 Configuration Management | 068.06g2Organizational.34-06.g | 068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Employ independent assessors to conduct security control assessments | 1.1.0 |
| 06 Configuration Management | 068.06g2Organizational.34-06.g | 068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Produce Security Assessment report | 1.1.0 |
| 06 Configuration Management | 069.06g2Organizational.56-06.g | 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Conduct Risk Assessment | 1.1.0 |
| 06 Configuration Management | 069.06g2Organizational.56-06.g | 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Conduct risk assessment and distribute its results | 1.1.0 |
| 06 Configuration Management | 069.06g2Organizational.56-06.g | 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Conduct risk assessment and document its results | 1.1.0 |
| 06 Configuration Management | 069.06g2Organizational.56-06.g | 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Configure detection whitelist | 1.1.0 |
| 06 Configuration Management | 069.06g2Organizational.56-06.g | 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Perform a risk assessment | 1.1.0 |
| 06 Configuration Management | 069.06g2Organizational.56-06.g | 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Turn on sensors for endpoint security solution | 1.1.0 |
| 06 Configuration Management | 069.06g2Organizational.56-06.g | 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance | Undergo independent security review | 1.1.0 |
| 07 Vulnerability Management | 0701.07a1Organizational.12-07.a | 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets | Conduct exit interview upon termination | 1.1.0 |
| 07 Vulnerability Management | 0701.07a1Organizational.12-07.a | 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets | Create a data inventory | 1.1.0 |
| 07 Vulnerability Management | 0701.07a1Organizational.12-07.a | 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets | Disable authenticators upon termination | 1.1.0 |
| 07 Vulnerability Management | 0701.07a1Organizational.12-07.a | 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets | Establish and maintain an asset inventory | 1.1.0 |
| 07 Vulnerability Management | 0701.07a1Organizational.12-07.a | 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets | Notify upon termination or transfer | 1.1.0 |
| 07 Vulnerability Management | 0701.07a1Organizational.12-07.a | 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets | Protect against and prevent data theft from departing employees | 1.1.0 |
| 07 Vulnerability Management | 0701.07a1Organizational.12-07.a | 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets | Retain terminated user data | 1.1.0 |
| 07 Vulnerability Management | 0702.07a1Organizational.3-07.a | 0702.07a1Organizational.3-07.a 07.01 Responsibility for Assets | Define information security roles and responsibilities | 1.1.0 |
| 07 Vulnerability Management | 0702.07a1Organizational.3-07.a | 0702.07a1Organizational.3-07.a 07.01 Responsibility for Assets | Establish terms and conditions for processing resources | 1.1.0 |
| 07 Vulnerability Management | 0703.07a2Organizational.1-07.a | 0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets | Create a data inventory | 1.1.0 |
| 07 Vulnerability Management | 0703.07a2Organizational.1-07.a | 0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets | Establish and maintain an asset inventory | 1.1.0 |
| 07 Vulnerability Management | 0703.07a2Organizational.1-07.a | 0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets | Maintain records of processing of personal data | 1.1.0 |
| 07 Vulnerability Management | 0704.07a3Organizational.12-07.a | 0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets | Create a data inventory | 1.1.0 |
| 07 Vulnerability Management | 0704.07a3Organizational.12-07.a | 0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets | Establish and maintain an asset inventory | 1.1.0 |
| 07 Vulnerability Management | 0704.07a3Organizational.12-07.a | 0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets | Maintain records of processing of personal data | 1.1.0 |
| 07 Vulnerability Management | 0705.07a3Organizational.3-07.a | 0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets | Define information security roles and responsibilities | 1.1.0 |
| 07 Vulnerability Management | 0705.07a3Organizational.3-07.a | 0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets | Identify individuals with security roles and responsibilities | 1.1.1 |
| 07 Vulnerability Management | 0705.07a3Organizational.3-07.a | 0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets | Integrate risk management process into SDLC | 1.1.0 |
| 07 Vulnerability Management | 0706.10b1System.12-10.b | 0706.10b1System.12-10.b 10.02 Correct Processing in Applications | Define information security roles and responsibilities | 1.1.0 |
| 07 Vulnerability Management | 0706.10b1System.12-10.b | 0706.10b1System.12-10.b 10.02 Correct Processing in Applications | Identify individuals with security roles and responsibilities | 1.1.1 |
| 07 Vulnerability Management | 0706.10b1System.12-10.b | 0706.10b1System.12-10.b 10.02 Correct Processing in Applications | Integrate risk management process into SDLC | 1.1.0 |
| 07 Vulnerability Management | 0706.10b1System.12-10.b | 0706.10b1System.12-10.b 10.02 Correct Processing in Applications | Perform information input validation | 1.1.0 |
| 07 Vulnerability Management | 0708.10b2System.2-10.b | 0708.10b2System.2-10.b 10.02 Correct Processing in Applications | Review and update information integrity policies and procedures | 1.1.0 |
| 07 Vulnerability Management | 0708.10b2System.2-10.b | 0708.10b2System.2-10.b 10.02 Correct Processing in Applications | Verify software, firmware and information integrity | 1.1.0 |
| 07 Vulnerability Management | 0708.10b2System.2-10.b | 0708.10b2System.2-10.b 10.02 Correct Processing in Applications | View and configure system diagnostic data | 1.1.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Assess Security Controls | 1.1.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Deliver security assessment results | 1.1.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Develop security assessment plan | 1.1.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Produce Security Assessment report | 1.1.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Select additional testing for security control assessments | 1.1.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | Configure actions for noncompliant devices | 1.1.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | Develop and maintain baseline configurations | 1.1.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | Enforce security configuration settings | 1.1.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | Establish a configuration control board | 1.1.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | Establish and document a configuration management plan | 1.1.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | Govern compliance of cloud service providers | 1.1.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | Implement an automated configuration management tool | 1.1.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | View and configure system diagnostic data | 1.1.0 |
| 07 Vulnerability Management | 0711.10m2Organizational.23-10.m | 0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management | Observe and report security weaknesses | 1.1.0 |
| 07 Vulnerability Management | 0711.10m2Organizational.23-10.m | 0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management | Perform a trend analysis on threats | 1.1.0 |
| 07 Vulnerability Management | 0711.10m2Organizational.23-10.m | 0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management | Perform threat modeling | 1.1.0 |
| 07 Vulnerability Management | 0712.10m2Organizational.4-10.m | 0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management | Employ independent team for penetration testing | 1.1.0 |
| 07 Vulnerability Management | 0712.10m2Organizational.4-10.m | 0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management | Select additional testing for security control assessments | 1.1.0 |
| 07 Vulnerability Management | 0713.10m2Organizational.5-10.m | 0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management | Automate flaw remediation | 1.1.0 |
| 07 Vulnerability Management | 0713.10m2Organizational.5-10.m | 0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management | Establish benchmarks for flaw remediation | 1.1.0 |
| 07 Vulnerability Management | 0713.10m2Organizational.5-10.m | 0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management | Incorporate flaw remediation into configuration management | 1.1.0 |
| 07 Vulnerability Management | 0713.10m2Organizational.5-10.m | 0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management | Measure the time between flaw identification and flaw remediation | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Audit privileged functions | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Audit user account status | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Correlate audit records | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Determine auditable events | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Establish requirements for audit review and reporting | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Implement privileged access for executing vulnerability scanning activities | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Integrate audit review, analysis, and reporting | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Integrate cloud app security with a siem | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Observe and report security weaknesses | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Perform a trend analysis on threats | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Perform threat modeling | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Review account provisioning logs | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Review administrator assignments weekly | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Review audit data | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Review cloud identity report overview | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Review controlled folder access events | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Review exploit protection events | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Review file and folder activity | 1.1.0 |
| 07 Vulnerability Management | 0714.10m2Organizational.7-10.m | 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management | Review role group changes weekly | 1.1.0 |
| 07 Vulnerability Management | 0716.10m3Organizational.1-10.m | 0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management | Assess Security Controls | 1.1.0 |
| 07 Vulnerability Management | 0716.10m3Organizational.1-10.m | 0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management | Deliver security assessment results | 1.1.0 |
| 07 Vulnerability Management | 0716.10m3Organizational.1-10.m | 0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management | Develop security assessment plan | 1.1.0 |
| 07 Vulnerability Management | 0716.10m3Organizational.1-10.m | 0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management | Produce Security Assessment report | 1.1.0 |
| 07 Vulnerability Management | 0717.10m3Organizational.2-10.m | 0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management | Observe and report security weaknesses | 1.1.0 |
| 07 Vulnerability Management | 0717.10m3Organizational.2-10.m | 0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management | Perform threat modeling | 1.1.0 |
| 07 Vulnerability Management | 0718.10m3Organizational.34-10.m | 0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management | Automate flaw remediation | 1.1.0 |
| 07 Vulnerability Management | 0718.10m3Organizational.34-10.m | 0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management | Observe and report security weaknesses | 1.1.0 |
| 07 Vulnerability Management | 0718.10m3Organizational.34-10.m | 0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management | Perform threat modeling | 1.1.0 |
| 07 Vulnerability Management | 0719.10m3Organizational.5-10.m | 0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management | Observe and report security weaknesses | 1.1.0 |
| 07 Vulnerability Management | 0719.10m3Organizational.5-10.m | 0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management | Perform threat modeling | 1.1.0 |
| 07 Vulnerability Management | 0720.07a1Organizational.4-07.a | 0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets | Create a data inventory | 1.1.0 |
| 07 Vulnerability Management | 0720.07a1Organizational.4-07.a | 0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets | Maintain records of processing of personal data | 1.1.0 |
| 07 Vulnerability Management | 0722.07a1Organizational.67-07.a | 0722.07a1Organizational.67-07.a 07.01 Responsibility for Assets | Require compliance with intellectual property rights | 1.1.0 |
| 07 Vulnerability Management | 0722.07a1Organizational.67-07.a | 0722.07a1Organizational.67-07.a 07.01 Responsibility for Assets | Restrict use of open source software | 1.1.0 |
| 07 Vulnerability Management | 0722.07a1Organizational.67-07.a | 0722.07a1Organizational.67-07.a 07.01 Responsibility for Assets | Track software license usage | 1.1.0 |
| 07 Vulnerability Management | 0723.07a1Organizational.8-07.a | 0723.07a1Organizational.8-07.a 07.01 Responsibility for Assets | Review and update media protection policies and procedures | 1.1.0 |
| 07 Vulnerability Management | 0724.07a3Organizational.4-07.a | 0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets | Enable detection of network devices | 1.1.0 |
| 07 Vulnerability Management | 0724.07a3Organizational.4-07.a | 0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets | Manage gateways | 1.1.0 |
| 07 Vulnerability Management | 0724.07a3Organizational.4-07.a | 0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets | Review malware detections report weekly | 1.1.0 |
| 07 Vulnerability Management | 0724.07a3Organizational.4-07.a | 0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets | Review threat protection status weekly | 1.1.0 |
| 07 Vulnerability Management | 0724.07a3Organizational.4-07.a | 0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 07 Vulnerability Management | 0724.07a3Organizational.4-07.a | 0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets | Update antivirus definitions | 1.1.0 |
| 07 Vulnerability Management | 0725.07a3Organizational.5-07.a | 0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets | Create a data inventory | 1.1.0 |
| 07 Vulnerability Management | 0725.07a3Organizational.5-07.a | 0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets | Establish and maintain an asset inventory | 1.1.0 |
| 07 Vulnerability Management | 0725.07a3Organizational.5-07.a | 0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets | Maintain records of processing of personal data | 1.1.0 |
| 07 Vulnerability Management | 0733.10b2System.4-10.b | 0733.10b2System.4-10.b 10.02 Correct Processing in Applications | Perform information input validation | 1.1.0 |
| 07 Vulnerability Management | 0733.10b2System.4-10.b | 0733.10b2System.4-10.b 10.02 Correct Processing in Applications | Verify software, firmware and information integrity | 1.1.0 |
| 07 Vulnerability Management | 0786.10m2Organizational.13-10.m | 0786.10m2Organizational.13-10.m 10.06 Technical Vulnerability Management | Incorporate flaw remediation into configuration management | 1.1.0 |
| 07 Vulnerability Management | 0787.10m2Organizational.14-10.m | 0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management | Automate flaw remediation | 1.1.0 |
| 07 Vulnerability Management | 0787.10m2Organizational.14-10.m | 0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management | Establish benchmarks for flaw remediation | 1.1.0 |
| 07 Vulnerability Management | 0787.10m2Organizational.14-10.m | 0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management | Incorporate flaw remediation into configuration management | 1.1.0 |
| 07 Vulnerability Management | 0787.10m2Organizational.14-10.m | 0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management | Measure the time between flaw identification and flaw remediation | 1.1.0 |
| 07 Vulnerability Management | 0788.10m3Organizational.20-10.m | 0788.10m3Organizational.20-10.m 10.06 Technical Vulnerability Management | Employ independent team for penetration testing | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Audit privileged functions | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Audit user account status | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Correlate audit records | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Determine auditable events | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Establish requirements for audit review and reporting | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Integrate audit review, analysis, and reporting | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Integrate cloud app security with a siem | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Observe and report security weaknesses | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Perform threat modeling | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Review account provisioning logs | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Review administrator assignments weekly | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Review audit data | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Review cloud identity report overview | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Review controlled folder access events | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Review exploit protection events | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Review file and folder activity | 1.1.0 |
| 07 Vulnerability Management | 0790.10m3Organizational.22-10.m | 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management | Review role group changes weekly | 1.1.0 |
| 07 Vulnerability Management | 0791.10b2Organizational.4-10.b | 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications | Address coding vulnerabilities | 1.1.0 |
| 07 Vulnerability Management | 0791.10b2Organizational.4-10.b | 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications | Develop and document application security requirements | 1.1.0 |
| 07 Vulnerability Management | 0791.10b2Organizational.4-10.b | 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications | Document the information system environment in acquisition contracts | 1.1.0 |
| 07 Vulnerability Management | 0791.10b2Organizational.4-10.b | 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications | Establish a secure software development program | 1.1.0 |
| 07 Vulnerability Management | 0791.10b2Organizational.4-10.b | 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications | Require developers to document approved changes and potential impact | 1.1.0 |
| 07 Vulnerability Management | 0791.10b2Organizational.4-10.b | 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications | Require developers to implement only approved changes | 1.1.0 |
| 07 Vulnerability Management | 0791.10b2Organizational.4-10.b | 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications | Require developers to manage change integrity | 1.1.0 |
| 07 Vulnerability Management | 0791.10b2Organizational.4-10.b | 0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications | Verify software, firmware and information integrity | 1.1.0 |
| 08 Network Protection | 0805.01m1Organizational.12-01.m | 0805.01m1Organizational.12-01.m 01.04 Network Access Control | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0806.01m2Organizational.12356-01.m | 0806.01m2Organizational.12356-01.m 01.04 Network Access Control | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0806.01m2Organizational.12356-01.m | 0806.01m2Organizational.12356-01.m 01.04 Network Access Control | Isolate SecurID systems, Security Incident Management systems | 1.1.0 |
| 08 Network Protection | 0808.10b2System.3-10.b | 0808.10b2System.3-10.b 10.02 Correct Processing in Applications | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0808.10b2System.3-10.b | 0808.10b2System.3-10.b 10.02 Correct Processing in Applications | Route traffic through authenticated proxy network | 1.1.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Manage gateways | 1.1.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Route traffic through managed network access points | 1.1.0 |
| 08 Network Protection | 0809.01n2Organizational.1234-01.n | 0809.01n2Organizational.1234-01.n 01.04 Network Access Control | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | Configure workstations to check for digital certificates | 1.1.0 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | Define cryptographic use | 1.1.0 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | Protect data in transit using encryption | 1.1.0 |
| 08 Network Protection | 0810.01n2Organizational.5-01.n | 0810.01n2Organizational.5-01.n 01.04 Network Access Control | Protect passwords with encryption | 1.1.0 |
| 08 Network Protection | 08101.09m2Organizational.14-09.m | 08101.09m2Organizational.14-09.m 09.06 Network Security Management | Configure workstations to check for digital certificates | 1.1.0 |
| 08 Network Protection | 08101.09m2Organizational.14-09.m | 08101.09m2Organizational.14-09.m 09.06 Network Security Management | Employ a media sanitization mechanism | 1.1.0 |
| 08 Network Protection | 08101.09m2Organizational.14-09.m | 08101.09m2Organizational.14-09.m 09.06 Network Security Management | Implement controls to secure all media | 1.1.0 |
| 08 Network Protection | 08101.09m2Organizational.14-09.m | 08101.09m2Organizational.14-09.m 09.06 Network Security Management | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 08101.09m2Organizational.14-09.m | 08101.09m2Organizational.14-09.m 09.06 Network Security Management | Manage the transportation of assets | 1.1.0 |
| 08 Network Protection | 08101.09m2Organizational.14-09.m | 08101.09m2Organizational.14-09.m 09.06 Network Security Management | Protect data in transit using encryption | 1.1.0 |
| 08 Network Protection | 08101.09m2Organizational.14-09.m | 08101.09m2Organizational.14-09.m 09.06 Network Security Management | Protect passwords with encryption | 1.1.0 |
| 08 Network Protection | 08101.09m2Organizational.14-09.m | 08101.09m2Organizational.14-09.m 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 08102.09nCSPOrganizational.1-09.n | 08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 08102.09nCSPOrganizational.1-09.n | 08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Control information flow | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Determine information protection needs | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Establish firewall and router configuration standards | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Establish network segmentation for card holder data environment | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Identify and manage downstream information exchanges | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Information flow control using security policy filters | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Route traffic through managed network access points | 1.1.0 |
| 08 Network Protection | 0811.01n2Organizational.6-01.n | 0811.01n2Organizational.6-01.n 01.04 Network Access Control | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0812.01n2Organizational.8-01.n | 0812.01n2Organizational.8-01.n 01.04 Network Access Control | Prevent split tunneling for remote devices | 1.1.0 |
| 08 Network Protection | 0815.01o2Organizational.123-01.o | 0815.01o2Organizational.123-01.o 01.04 Network Access Control | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0815.01o2Organizational.123-01.o | 0815.01o2Organizational.123-01.o 01.04 Network Access Control | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0815.01o2Organizational.123-01.o | 0815.01o2Organizational.123-01.o 01.04 Network Access Control | Route traffic through authenticated proxy network | 1.1.0 |
| 08 Network Protection | 0815.01o2Organizational.123-01.o | 0815.01o2Organizational.123-01.o 01.04 Network Access Control | Route traffic through managed network access points | 1.1.0 |
| 08 Network Protection | 0816.01w1System.1-01.w | 0816.01w1System.1-01.w 01.06 Application and Information Access Control | Develop SSP that meets criteria | 1.1.0 |
| 08 Network Protection | 0816.01w1System.1-01.w | 0816.01w1System.1-01.w 01.06 Application and Information Access Control | Distribute information system documentation | 1.1.0 |
| 08 Network Protection | 0816.01w1System.1-01.w | 0816.01w1System.1-01.w 01.06 Application and Information Access Control | Document customer-defined actions | 1.1.0 |
| 08 Network Protection | 0816.01w1System.1-01.w | 0816.01w1System.1-01.w 01.06 Application and Information Access Control | Obtain Admin documentation | 1.1.0 |
| 08 Network Protection | 0816.01w1System.1-01.w | 0816.01w1System.1-01.w 01.06 Application and Information Access Control | Obtain user security function documentation | 1.1.0 |
| 08 Network Protection | 0816.01w1System.1-01.w | 0816.01w1System.1-01.w 01.06 Application and Information Access Control | Protect administrator and user documentation | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Adopt biometric authentication mechanisms | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Authorize remote access | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Control information flow | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Employ boundary protection to isolate information systems | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Ensure system capable of dynamic isolation of resources | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Establish firewall and router configuration standards | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Establish network segmentation for card holder data environment | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Identify and manage downstream information exchanges | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Isolate SecurID systems, Security Incident Management systems | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Maintain separate execution domains for running processes | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Separate user and information system management functionality | 1.1.0 |
| 08 Network Protection | 0817.01w2System.123-01.w | 0817.01w2System.123-01.w 01.06 Application and Information Access Control | Use dedicated machines for administrative tasks | 1.1.0 |
| 08 Network Protection | 0818.01w3System.12-01.w | 0818.01w3System.12-01.w 01.06 Application and Information Access Control | Govern the allocation of resources | 1.1.0 |
| 08 Network Protection | 0818.01w3System.12-01.w | 0818.01w3System.12-01.w 01.06 Application and Information Access Control | Maintain separate execution domains for running processes | 1.1.0 |
| 08 Network Protection | 0818.01w3System.12-01.w | 0818.01w3System.12-01.w 01.06 Application and Information Access Control | Manage availability and capacity | 1.1.0 |
| 08 Network Protection | 0818.01w3System.12-01.w | 0818.01w3System.12-01.w 01.06 Application and Information Access Control | Secure commitment from leadership | 1.1.0 |
| 08 Network Protection | 0819.09m1Organizational.23-09.m | 0819.09m1Organizational.23-09.m 09.06 Network Security Management | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| 08 Network Protection | 0819.09m1Organizational.23-09.m | 0819.09m1Organizational.23-09.m 09.06 Network Security Management | Require interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Conduct a security impact analysis | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Configure actions for noncompliant devices | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Create configuration plan protection | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Develop and maintain a vulnerability management standard | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Develop and maintain baseline configurations | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Develop configuration item identification plan | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Develop configuration management plan | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Enforce security configuration settings | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Establish a configuration control board | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Establish a risk management strategy | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Establish and document a configuration management plan | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Establish and document change control processes | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Establish configuration management requirements for developers | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Implement an automated configuration management tool | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Perform a privacy impact assessment | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Perform a risk assessment | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Perform audit for configuration change control | 1.1.0 |
| 08 Network Protection | 0821.09m2Organizational.2-09.m | 0821.09m2Organizational.2-09.m 09.06 Network Security Management | Review changes for any unauthorized changes | 1.1.0 |
| 08 Network Protection | 0822.09m2Organizational.4-09.m | 0822.09m2Organizational.4-09.m 09.06 Network Security Management | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0822.09m2Organizational.4-09.m | 0822.09m2Organizational.4-09.m 09.06 Network Security Management | Control information flow | 1.1.0 |
| 08 Network Protection | 0822.09m2Organizational.4-09.m | 0822.09m2Organizational.4-09.m 09.06 Network Security Management | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 08 Network Protection | 0822.09m2Organizational.4-09.m | 0822.09m2Organizational.4-09.m 09.06 Network Security Management | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0822.09m2Organizational.4-09.m | 0822.09m2Organizational.4-09.m 09.06 Network Security Management | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0822.09m2Organizational.4-09.m | 0822.09m2Organizational.4-09.m 09.06 Network Security Management | Route traffic through authenticated proxy network | 1.1.0 |
| 08 Network Protection | 0822.09m2Organizational.4-09.m | 0822.09m2Organizational.4-09.m 09.06 Network Security Management | Route traffic through managed network access points | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Conduct Risk Assessment | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Conduct risk assessment and distribute its results | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Conduct risk assessment and document its results | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Configure detection whitelist | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Establish an alternate processing site | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Perform a risk assessment | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Plan for resumption of essential business functions | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Separately store backup information | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Turn on sensors for endpoint security solution | 1.1.0 |
| 08 Network Protection | 0824.09m3Organizational.1-09.m | 0824.09m3Organizational.1-09.m 09.06 Network Security Management | Undergo independent security review | 1.1.0 |
| 08 Network Protection | 0825.09m3Organizational.23-09.m | 0825.09m3Organizational.23-09.m 09.06 Network Security Management | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0825.09m3Organizational.23-09.m | 0825.09m3Organizational.23-09.m 09.06 Network Security Management | Detect network services that have not been authorized or approved | 1.1.0 |
| 08 Network Protection | 0825.09m3Organizational.23-09.m | 0825.09m3Organizational.23-09.m 09.06 Network Security Management | Document wireless access security controls | 1.1.0 |
| 08 Network Protection | 0825.09m3Organizational.23-09.m | 0825.09m3Organizational.23-09.m 09.06 Network Security Management | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0825.09m3Organizational.23-09.m | 0825.09m3Organizational.23-09.m 09.06 Network Security Management | Obtain legal opinion for monitoring system activities | 1.1.0 |
| 08 Network Protection | 0825.09m3Organizational.23-09.m | 0825.09m3Organizational.23-09.m 09.06 Network Security Management | Provide monitoring information as needed | 1.1.0 |
| 08 Network Protection | 0825.09m3Organizational.23-09.m | 0825.09m3Organizational.23-09.m 09.06 Network Security Management | Route traffic through managed network access points | 1.1.0 |
| 08 Network Protection | 0826.09m3Organizational.45-09.m | 0826.09m3Organizational.45-09.m 09.06 Network Security Management | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0826.09m3Organizational.45-09.m | 0826.09m3Organizational.45-09.m 09.06 Network Security Management | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0826.09m3Organizational.45-09.m | 0826.09m3Organizational.45-09.m 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0828.09m3Organizational.8-09.m | 0828.09m3Organizational.8-09.m 09.06 Network Security Management | Review changes for any unauthorized changes | 1.1.0 |
| 08 Network Protection | 0829.09m3Organizational.911-09.m | 0829.09m3Organizational.911-09.m 09.06 Network Security Management | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0829.09m3Organizational.911-09.m | 0829.09m3Organizational.911-09.m 09.06 Network Security Management | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0830.09m3Organizational.1012-09.m | 0830.09m3Organizational.1012-09.m 09.06 Network Security Management | Adopt biometric authentication mechanisms | 1.1.0 |
| 08 Network Protection | 0830.09m3Organizational.1012-09.m | 0830.09m3Organizational.1012-09.m 09.06 Network Security Management | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0830.09m3Organizational.1012-09.m | 0830.09m3Organizational.1012-09.m 09.06 Network Security Management | Enforce user uniqueness | 1.1.0 |
| 08 Network Protection | 0830.09m3Organizational.1012-09.m | 0830.09m3Organizational.1012-09.m 09.06 Network Security Management | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0830.09m3Organizational.1012-09.m | 0830.09m3Organizational.1012-09.m 09.06 Network Security Management | Implement system boundary protection | 1.1.0 |
| 08 Network Protection | 0830.09m3Organizational.1012-09.m | 0830.09m3Organizational.1012-09.m 09.06 Network Security Management | Route traffic through managed network access points | 1.1.0 |
| 08 Network Protection | 0830.09m3Organizational.1012-09.m | 0830.09m3Organizational.1012-09.m 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0830.09m3Organizational.1012-09.m | 0830.09m3Organizational.1012-09.m 09.06 Network Security Management | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 08 Network Protection | 0832.09m3Organizational.14-09.m | 0832.09m3Organizational.14-09.m 09.06 Network Security Management | Implement a fault tolerant name/address service | 1.1.0 |
| 08 Network Protection | 0832.09m3Organizational.14-09.m | 0832.09m3Organizational.14-09.m 09.06 Network Security Management | Require interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0832.09m3Organizational.14-09.m | 0832.09m3Organizational.14-09.m 09.06 Network Security Management | Update interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0835.09n1Organizational.1-09.n | 0835.09n1Organizational.1-09.n 09.06 Network Security Management | Configure detection whitelist | 1.1.0 |
| 08 Network Protection | 0835.09n1Organizational.1-09.n | 0835.09n1Organizational.1-09.n 09.06 Network Security Management | Require interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0835.09n1Organizational.1-09.n | 0835.09n1Organizational.1-09.n 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0835.09n1Organizational.1-09.n | 0835.09n1Organizational.1-09.n 09.06 Network Security Management | Turn on sensors for endpoint security solution | 1.1.0 |
| 08 Network Protection | 0835.09n1Organizational.1-09.n | 0835.09n1Organizational.1-09.n 09.06 Network Security Management | Undergo independent security review | 1.1.0 |
| 08 Network Protection | 0836.09.n2Organizational.1-09.n | 0836.09.n2Organizational.1-09.n 09.06 Network Security Management | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| 08 Network Protection | 0836.09.n2Organizational.1-09.n | 0836.09.n2Organizational.1-09.n 09.06 Network Security Management | Require interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0836.09.n2Organizational.1-09.n | 0836.09.n2Organizational.1-09.n 09.06 Network Security Management | Update interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Define and document government oversight | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Determine supplier contract obligations | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document acquisition contract acceptance criteria | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document protection of personal data in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document protection of security information in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document requirements for the use of shared data in contracts | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document security documentation requirements in acquisition contract | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document security functional requirements in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document security strength requirements in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document the information system environment in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Identify external service providers | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Require external service providers to comply with security requirements | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Require interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Undergo independent security review | 1.1.0 |
| 08 Network Protection | 0837.09.n2Organizational.2-09.n | 0837.09.n2Organizational.2-09.n 09.06 Network Security Management | Update interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0850.01o1Organizational.12-01.o | 0850.01o1Organizational.12-01.o 01.04 Network Access Control | Route traffic through authenticated proxy network | 1.1.0 |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | Document and implement wireless access guidelines | 1.1.0 |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | Document wireless access security controls | 1.1.0 |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | Identify and authenticate network devices | 1.1.0 |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | Protect wireless access | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Control information flow | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Define access authorizations to support separation of duties | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Document separation of duties | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Establish firewall and router configuration standards | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Establish network segmentation for card holder data environment | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Identify and manage downstream information exchanges | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Information flow control using security policy filters | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Protect data in transit using encryption | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Protect passwords with encryption | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Review and update system and communications protection policies and procedures | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0859.09m1Organizational.78-09.m | 0859.09m1Organizational.78-09.m 09.06 Network Security Management | Separate duties of individuals | 1.1.0 |
| 08 Network Protection | 0860.09m1Organizational.9-09.m | 0860.09m1Organizational.9-09.m 09.06 Network Security Management | Establish an alternate processing site | 1.1.0 |
| 08 Network Protection | 0860.09m1Organizational.9-09.m | 0860.09m1Organizational.9-09.m 09.06 Network Security Management | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0860.09m1Organizational.9-09.m | 0860.09m1Organizational.9-09.m 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0860.09m1Organizational.9-09.m | 0860.09m1Organizational.9-09.m 09.06 Network Security Management | Separately store backup information | 1.1.0 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | Document and implement wireless access guidelines | 1.1.0 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | Document wireless access security controls | 1.1.0 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | Identify and authenticate network devices | 1.1.0 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | Identify and authenticate non-organizational users | 1.1.0 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | Protect wireless access | 1.1.0 |
| 08 Network Protection | 0862.09m2Organizational.8-09.m | 0862.09m2Organizational.8-09.m 09.06 Network Security Management | Configure workstations to check for digital certificates | 1.1.0 |
| 08 Network Protection | 0862.09m2Organizational.8-09.m | 0862.09m2Organizational.8-09.m 09.06 Network Security Management | Protect data in transit using encryption | 1.1.0 |
| 08 Network Protection | 0862.09m2Organizational.8-09.m | 0862.09m2Organizational.8-09.m 09.06 Network Security Management | Protect passwords with encryption | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Conduct a security impact analysis | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Configure actions for noncompliant devices | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Develop a concept of operations (CONOPS) | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Develop and establish a system security plan | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Develop and maintain a vulnerability management standard | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Develop and maintain baseline configurations | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Develop configuration item identification plan | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Develop information security policies and procedures | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Develop SSP that meets criteria | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Enforce security configuration settings | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Establish a configuration control board | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Establish a privacy program | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Establish a risk management strategy | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Establish and document a configuration management plan | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Establish and document change control processes | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Establish configuration management requirements for developers | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Implement an automated configuration management tool | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Implement security engineering principles of information systems | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Perform a privacy impact assessment | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Perform a risk assessment | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Perform audit for configuration change control | 1.1.0 |
| 08 Network Protection | 0863.09m2Organizational.910-09.m | 0863.09m2Organizational.910-09.m 09.06 Network Security Management | Review and update the information security architecture | 1.1.0 |
| 08 Network Protection | 0864.09m2Organizational.12-09.m | 0864.09m2Organizational.12-09.m 09.06 Network Security Management | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0864.09m2Organizational.12-09.m | 0864.09m2Organizational.12-09.m 09.06 Network Security Management | Establish voip usage restrictions | 1.1.0 |
| 08 Network Protection | 0864.09m2Organizational.12-09.m | 0864.09m2Organizational.12-09.m 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0865.09m2Organizational.13-09.m | 0865.09m2Organizational.13-09.m 09.06 Network Security Management | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| 08 Network Protection | 0865.09m2Organizational.13-09.m | 0865.09m2Organizational.13-09.m 09.06 Network Security Management | Employ restrictions on external system interconnections | 1.1.0 |
| 08 Network Protection | 0865.09m2Organizational.13-09.m | 0865.09m2Organizational.13-09.m 09.06 Network Security Management | Require interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0865.09m2Organizational.13-09.m | 0865.09m2Organizational.13-09.m 09.06 Network Security Management | Update interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Develop and establish a system security plan | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Develop information security policies and procedures | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Develop SSP that meets criteria | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Establish a privacy program | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Implement security engineering principles of information systems | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Review and update system and communications protection policies and procedures | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Route traffic through managed network access points | 1.1.0 |
| 08 Network Protection | 0866.09m3Organizational.1516-09.m | 0866.09m3Organizational.1516-09.m 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0868.09m3Organizational.18-09.m | 0868.09m3Organizational.18-09.m 09.06 Network Security Management | Authorize, monitor, and control voip | 1.1.0 |
| 08 Network Protection | 0868.09m3Organizational.18-09.m | 0868.09m3Organizational.18-09.m 09.06 Network Security Management | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0868.09m3Organizational.18-09.m | 0868.09m3Organizational.18-09.m 09.06 Network Security Management | Route traffic through managed network access points | 1.1.0 |
| 08 Network Protection | 0868.09m3Organizational.18-09.m | 0868.09m3Organizational.18-09.m 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Configure actions for noncompliant devices | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Create configuration plan protection | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Develop and maintain baseline configurations | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Develop configuration item identification plan | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Develop configuration management plan | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Enforce security configuration settings | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Establish a configuration control board | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Establish and document a configuration management plan | 1.1.0 |
| 08 Network Protection | 0869.09m3Organizational.19-09.m | 0869.09m3Organizational.19-09.m 09.06 Network Security Management | Implement an automated configuration management tool | 1.1.0 |
| 08 Network Protection | 0870.09m3Organizational.20-09.m | 0870.09m3Organizational.20-09.m 09.06 Network Security Management | Detect network services that have not been authorized or approved | 1.1.0 |
| 08 Network Protection | 0870.09m3Organizational.20-09.m | 0870.09m3Organizational.20-09.m 09.06 Network Security Management | Enforce user uniqueness | 1.1.0 |
| 08 Network Protection | 0870.09m3Organizational.20-09.m | 0870.09m3Organizational.20-09.m 09.06 Network Security Management | Identify and authenticate non-organizational users | 1.1.0 |
| 08 Network Protection | 0870.09m3Organizational.20-09.m | 0870.09m3Organizational.20-09.m 09.06 Network Security Management | Identify external service providers | 1.1.0 |
| 08 Network Protection | 0870.09m3Organizational.20-09.m | 0870.09m3Organizational.20-09.m 09.06 Network Security Management | Implement managed interface for each external service | 1.1.0 |
| 08 Network Protection | 0870.09m3Organizational.20-09.m | 0870.09m3Organizational.20-09.m 09.06 Network Security Management | Route traffic through authenticated proxy network | 1.1.0 |
| 08 Network Protection | 0870.09m3Organizational.20-09.m | 0870.09m3Organizational.20-09.m 09.06 Network Security Management | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 08 Network Protection | 0871.09m3Organizational.22-09.m | 0871.09m3Organizational.22-09.m 09.06 Network Security Management | Implement a fault tolerant name/address service | 1.1.0 |
| 08 Network Protection | 0871.09m3Organizational.22-09.m | 0871.09m3Organizational.22-09.m 09.06 Network Security Management | Provide secure name and address resolution services | 1.1.0 |
| 08 Network Protection | 0871.09m3Organizational.22-09.m | 0871.09m3Organizational.22-09.m 09.06 Network Security Management | Verify software, firmware and information integrity | 1.1.0 |
| 08 Network Protection | 0885.09n2Organizational.3-09.n | 0885.09n2Organizational.3-09.n 09.06 Network Security Management | Require interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0885.09n2Organizational.3-09.n | 0885.09n2Organizational.3-09.n 09.06 Network Security Management | Update interconnection security agreements | 1.1.0 |
| 08 Network Protection | 0886.09n2Organizational.4-09.n | 0886.09n2Organizational.4-09.n 09.06 Network Security Management | Employ restrictions on external system interconnections | 1.1.0 |
| 08 Network Protection | 0887.09n2Organizational.5-09.n | 0887.09n2Organizational.5-09.n 09.06 Network Security Management | Require developer to identify SDLC ports, protocols, and services | 1.1.0 |
| 08 Network Protection | 0887.09n2Organizational.5-09.n | 0887.09n2Organizational.5-09.n 09.06 Network Security Management | Secure the interface to external systems | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Define and document government oversight | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Determine supplier contract obligations | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document acquisition contract acceptance criteria | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document protection of personal data in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document protection of security information in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document requirements for the use of shared data in contracts | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document security documentation requirements in acquisition contract | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document security functional requirements in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document security strength requirements in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document the information system environment in acquisition contracts | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Require external service providers to comply with security requirements | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 08 Network Protection | 0888.09n2Organizational.6-09.n | 0888.09n2Organizational.6-09.n 09.06 Network Security Management | Undergo independent security review | 1.1.0 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | Authorize access to security functions and information | 1.1.0 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | Authorize and manage access | 1.1.0 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | Enforce logical access | 1.1.0 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | Require approval for account creation | 1.1.0 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | Review user groups and applications with access to sensitive data | 1.1.0 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | Route traffic through authenticated proxy network | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Categorize information | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Configure actions for noncompliant devices | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Develop acceptable use policies and procedures | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Develop and maintain baseline configurations | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Develop business classification schemes | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Develop organization code of conduct policy | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Document personnel acceptance of privacy requirements | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Enforce rules of behavior and access agreements | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Enforce security configuration settings | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Ensure security categorization is approved | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Establish a configuration control board | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Establish a data leakage management procedure | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Establish and document a configuration management plan | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Establish terms and conditions for processing resources | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Implement an automated configuration management tool | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Implement controls to secure all media | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Perform information input validation | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Prohibit unfair practices | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Protect data in transit using encryption | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Protect special information | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Review and sign revised rules of behavior | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Review label activity and analytics | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Review malware detections report weekly | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Review threat protection status weekly | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Update antivirus definitions | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Update information security policies | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Update rules of behavior and access agreements | 1.1.0 |
| 09 Transmission Protection | 0901.09s1Organizational.1-09.s | 0901.09s1Organizational.1-09.s 09.08 Exchange of Information | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Authorize remote access | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Authorize remote access to privileged commands | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Document mobility training | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Document remote access guidelines | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Establish terms and conditions for accessing resources | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Establish terms and conditions for processing resources | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Implement controls to secure alternate work sites | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Monitor access across the organization | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Notify users of system logon or access | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Protect data in transit using encryption | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Provide capability to disconnect or disable remote access | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Provide privacy training | 1.1.0 |
| 09 Transmission Protection | 0902.09s2Organizational.13-09.s | 0902.09s2Organizational.13-09.s 09.08 Exchange of Information | Route traffic through managed network access points | 1.1.0 |
| 09 Transmission Protection | 0903.10f1Organizational.1-10.f | 0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0903.10f1Organizational.1-10.f | 0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls | Define cryptographic use | 1.1.0 |
| 09 Transmission Protection | 0903.10f1Organizational.1-10.f | 0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Authenticate to cryptographic module | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Define a physical key management process | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Define cryptographic use | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Define organizational requirements for cryptographic key management | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Determine assertion requirements | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Issue public key certificates | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Manage symmetric cryptographic keys | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0904.10f2Organizational.1-10.f | 0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls | Restrict access to private keys | 1.1.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | Authorize remote access | 1.1.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | Document mobility training | 1.1.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | Document remote access guidelines | 1.1.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | Implement controls to secure alternate work sites | 1.1.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | Monitor access across the organization | 1.1.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | Notify users of system logon or access | 1.1.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | Provide privacy training | 1.1.0 |
| 09 Transmission Protection | 0912.09s1Organizational.4-09.s | 0912.09s1Organizational.4-09.s 09.08 Exchange of Information | Route traffic through managed network access points | 1.1.0 |
| 09 Transmission Protection | 0913.09s1Organizational.5-09.s | 0913.09s1Organizational.5-09.s 09.08 Exchange of Information | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0913.09s1Organizational.5-09.s | 0913.09s1Organizational.5-09.s 09.08 Exchange of Information | Define cryptographic use | 1.1.0 |
| 09 Transmission Protection | 0913.09s1Organizational.5-09.s | 0913.09s1Organizational.5-09.s 09.08 Exchange of Information | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| 09 Transmission Protection | 0913.09s1Organizational.5-09.s | 0913.09s1Organizational.5-09.s 09.08 Exchange of Information | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0914.09s1Organizational.6-09.s | 0914.09s1Organizational.6-09.s 09.08 Exchange of Information | Assess Security Controls | 1.1.0 |
| 09 Transmission Protection | 0914.09s1Organizational.6-09.s | 0914.09s1Organizational.6-09.s 09.08 Exchange of Information | Deliver security assessment results | 1.1.0 |
| 09 Transmission Protection | 0914.09s1Organizational.6-09.s | 0914.09s1Organizational.6-09.s 09.08 Exchange of Information | Develop security assessment plan | 1.1.0 |
| 09 Transmission Protection | 0914.09s1Organizational.6-09.s | 0914.09s1Organizational.6-09.s 09.08 Exchange of Information | Employ independent assessors to conduct security control assessments | 1.1.0 |
| 09 Transmission Protection | 0914.09s1Organizational.6-09.s | 0914.09s1Organizational.6-09.s 09.08 Exchange of Information | Produce Security Assessment report | 1.1.0 |
| 09 Transmission Protection | 0914.09s1Organizational.6-09.s | 0914.09s1Organizational.6-09.s 09.08 Exchange of Information | Review and update system and communications protection policies and procedures | 1.1.0 |
| 09 Transmission Protection | 0915.09s2Organizational.2-09.s | 0915.09s2Organizational.2-09.s 09.08 Exchange of Information | Control use of portable storage devices | 1.1.0 |
| 09 Transmission Protection | 0915.09s2Organizational.2-09.s | 0915.09s2Organizational.2-09.s 09.08 Exchange of Information | Establish terms and conditions for accessing resources | 1.1.0 |
| 09 Transmission Protection | 0915.09s2Organizational.2-09.s | 0915.09s2Organizational.2-09.s 09.08 Exchange of Information | Establish terms and conditions for processing resources | 1.1.0 |
| 09 Transmission Protection | 0916.09s2Organizational.4-09.s | 0916.09s2Organizational.4-09.s 09.08 Exchange of Information | Adopt biometric authentication mechanisms | 1.1.0 |
| 09 Transmission Protection | 0916.09s2Organizational.4-09.s | 0916.09s2Organizational.4-09.s 09.08 Exchange of Information | Control use of portable storage devices | 1.1.0 |
| 09 Transmission Protection | 0916.09s2Organizational.4-09.s | 0916.09s2Organizational.4-09.s 09.08 Exchange of Information | Explicitly notify use of collaborative computing devices | 1.1.1 |
| 09 Transmission Protection | 0916.09s2Organizational.4-09.s | 0916.09s2Organizational.4-09.s 09.08 Exchange of Information | Identify and authenticate network devices | 1.1.0 |
| 09 Transmission Protection | 0916.09s2Organizational.4-09.s | 0916.09s2Organizational.4-09.s 09.08 Exchange of Information | Prohibit remote activation of collaborative computing devices | 1.1.0 |
| 09 Transmission Protection | 0916.09s2Organizational.4-09.s | 0916.09s2Organizational.4-09.s 09.08 Exchange of Information | Restrict media use | 1.1.0 |
| 09 Transmission Protection | 0926.09v1Organizational.2-09.v | 0926.09v1Organizational.2-09.v 09.08 Exchange of Information | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0926.09v1Organizational.2-09.v | 0926.09v1Organizational.2-09.v 09.08 Exchange of Information | Implement a fault tolerant name/address service | 1.1.0 |
| 09 Transmission Protection | 0926.09v1Organizational.2-09.v | 0926.09v1Organizational.2-09.v 09.08 Exchange of Information | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| 09 Transmission Protection | 0926.09v1Organizational.2-09.v | 0926.09v1Organizational.2-09.v 09.08 Exchange of Information | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0926.09v1Organizational.2-09.v | 0926.09v1Organizational.2-09.v 09.08 Exchange of Information | Provide secure name and address resolution services | 1.1.0 |
| 09 Transmission Protection | 0927.09v1Organizational.3-09.v | 0927.09v1Organizational.3-09.v 09.08 Exchange of Information | Adopt biometric authentication mechanisms | 1.1.0 |
| 09 Transmission Protection | 0927.09v1Organizational.3-09.v | 0927.09v1Organizational.3-09.v 09.08 Exchange of Information | Enforce user uniqueness | 1.1.0 |
| 09 Transmission Protection | 0927.09v1Organizational.3-09.v | 0927.09v1Organizational.3-09.v 09.08 Exchange of Information | Identify and authenticate network devices | 1.1.0 |
| 09 Transmission Protection | 0927.09v1Organizational.3-09.v | 0927.09v1Organizational.3-09.v 09.08 Exchange of Information | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Control information flow | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Define cryptographic use | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Establish firewall and router configuration standards | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Establish network segmentation for card holder data environment | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Identify and manage downstream information exchanges | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0928.09v1Organizational.45-09.v | 0928.09v1Organizational.45-09.v 09.08 Exchange of Information | Secure the interface to external systems | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Control information flow | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Establish firewall and router configuration standards | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Establish network segmentation for card holder data environment | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Identify and manage downstream information exchanges | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Implement a fault tolerant name/address service | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0929.09v1Organizational.6-09.v | 0929.09v1Organizational.6-09.v 09.08 Exchange of Information | Provide secure name and address resolution services | 1.1.0 |
| 09 Transmission Protection | 0943.09y1Organizational.1-09.y | 0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0943.09y1Organizational.1-09.y | 0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services | Document process to ensure integrity of PII | 1.1.0 |
| 09 Transmission Protection | 0943.09y1Organizational.1-09.y | 0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0944.09y1Organizational.2-09.y | 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0944.09y1Organizational.2-09.y | 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services | Control information flow | 1.1.0 |
| 09 Transmission Protection | 0944.09y1Organizational.2-09.y | 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services | Employ boundary protection to isolate information systems | 1.1.0 |
| 09 Transmission Protection | 0944.09y1Organizational.2-09.y | 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 09 Transmission Protection | 0944.09y1Organizational.2-09.y | 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services | Establish firewall and router configuration standards | 1.1.0 |
| 09 Transmission Protection | 0944.09y1Organizational.2-09.y | 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services | Establish network segmentation for card holder data environment | 1.1.0 |
| 09 Transmission Protection | 0944.09y1Organizational.2-09.y | 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services | Identify and manage downstream information exchanges | 1.1.0 |
| 09 Transmission Protection | 0944.09y1Organizational.2-09.y | 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services | Information flow control using security policy filters | 1.1.0 |
| 09 Transmission Protection | 0945.09y1Organizational.3-09.y | 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services | Authenticate to cryptographic module | 1.1.0 |
| 09 Transmission Protection | 0945.09y1Organizational.3-09.y | 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0945.09y1Organizational.3-09.y | 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services | Define cryptographic use | 1.1.0 |
| 09 Transmission Protection | 0945.09y1Organizational.3-09.y | 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| 09 Transmission Protection | 0945.09y1Organizational.3-09.y | 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services | Protect passwords with encryption | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Create separate alternate and primary storage sites | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Employ a media sanitization mechanism | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Establish a data leakage management procedure | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Govern and monitor audit processing activities | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Manage the transportation of assets | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Protect special information | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Restrict location of information processing, storage and services | 1.1.0 |
| 09 Transmission Protection | 0947.09y2Organizational.2-09.y | 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services | Transfer backup information to an alternate storage site | 1.1.0 |
| 09 Transmission Protection | 0948.09y2Organizational.3-09.y | 0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 0948.09y2Organizational.3-09.y | 0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services | Distribute authenticators | 1.1.0 |
| 09 Transmission Protection | 0948.09y2Organizational.3-09.y | 0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services | Enforce random unique session identifiers | 1.1.0 |
| 09 Transmission Protection | 0948.09y2Organizational.3-09.y | 0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services | Issue public key certificates | 1.1.0 |
| 09 Transmission Protection | 0948.09y2Organizational.3-09.y | 0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services | Satisfy token quality requirements | 1.1.0 |
| 09 Transmission Protection | 0949.09y2Organizational.5-09.y | 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services | Identify external service providers | 1.1.0 |
| 09 Transmission Protection | 0949.09y2Organizational.5-09.y | 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services | Require developer to identify SDLC ports, protocols, and services | 1.1.0 |
| 09 Transmission Protection | 0960.09sCSPOrganizational.1-09.s | 0960.09sCSPOrganizational.1-09.s 09.08 Exchange of Information | Identify external service providers | 1.1.0 |
| 09 Transmission Protection | 099.09m2Organizational.11-09.m | 099.09m2Organizational.11-09.m 09.06 Network Security Management | Configure workstations to check for digital certificates | 1.1.0 |
| 09 Transmission Protection | 099.09m2Organizational.11-09.m | 099.09m2Organizational.11-09.m 09.06 Network Security Management | Define cryptographic use | 1.1.0 |
| 09 Transmission Protection | 099.09m2Organizational.11-09.m | 099.09m2Organizational.11-09.m 09.06 Network Security Management | Protect passwords with encryption | 1.1.0 |
| 10 Password Management | 1002.01d1System.1-01.d | 1002.01d1System.1-01.d 01.02 Authorized Access to Information Systems | Obscure feedback information during authentication process | 1.1.0 |
| 10 Password Management | 1002.01d1System.1-01.d | 1002.01d1System.1-01.d 01.02 Authorized Access to Information Systems | Protect passwords with encryption | 1.1.0 |
| 10 Password Management | 1003.01d1System.3-01.d | 1003.01d1System.3-01.d 01.02 Authorized Access to Information Systems | Implement training for protecting authenticators | 1.1.0 |
| 10 Password Management | 1003.01d1System.3-01.d | 1003.01d1System.3-01.d 01.02 Authorized Access to Information Systems | Refresh authenticators | 1.1.0 |
| 10 Password Management | 1003.01d1System.3-01.d | 1003.01d1System.3-01.d 01.02 Authorized Access to Information Systems | Verify identity before distributing authenticators | 1.1.0 |
| 10 Password Management | 1004.01d1System.8913-01.d | 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems | Document security strength requirements in acquisition contracts | 1.1.0 |
| 10 Password Management | 1004.01d1System.8913-01.d | 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems | Establish a password policy | 1.1.0 |
| 10 Password Management | 1004.01d1System.8913-01.d | 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems | Implement parameters for memorized secret verifiers | 1.1.0 |
| 10 Password Management | 1004.01d1System.8913-01.d | 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems | Manage authenticator lifetime and reuse | 1.1.0 |
| 10 Password Management | 1004.01d1System.8913-01.d | 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems | Manage Authenticators | 1.1.0 |
| 10 Password Management | 1004.01d1System.8913-01.d | 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems | Protect passwords with encryption | 1.1.0 |
| 10 Password Management | 1004.01d1System.8913-01.d | 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems | Refresh authenticators | 1.1.0 |
| 10 Password Management | 1004.01d1System.8913-01.d | 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems | Verify identity before distributing authenticators | 1.1.0 |
| 10 Password Management | 1005.01d1System.1011-01.d | 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems | Authenticate to cryptographic module | 1.1.0 |
| 10 Password Management | 1005.01d1System.1011-01.d | 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems | Define cryptographic use | 1.1.0 |
| 10 Password Management | 1005.01d1System.1011-01.d | 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems | Document security strength requirements in acquisition contracts | 1.1.0 |
| 10 Password Management | 1005.01d1System.1011-01.d | 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems | Establish a password policy | 1.1.0 |
| 10 Password Management | 1005.01d1System.1011-01.d | 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems | Implement parameters for memorized secret verifiers | 1.1.0 |
| 10 Password Management | 1005.01d1System.1011-01.d | 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| 10 Password Management | 1006.01d2System.1-01.d | 1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems | Ensure there are no unencrypted static authenticators | 1.1.0 |
| 10 Password Management | 1006.01d2System.1-01.d | 1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems | Generate error messages | 1.1.0 |
| 10 Password Management | 1006.01d2System.1-01.d | 1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems | Identify and authenticate non-organizational users | 1.1.0 |
| 10 Password Management | 1006.01d2System.1-01.d | 1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems | Implement training for protecting authenticators | 1.1.0 |
| 10 Password Management | 1006.01d2System.1-01.d | 1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems | Obscure feedback information during authentication process | 1.1.0 |
| 10 Password Management | 1007.01d2System.2-01.d | 1007.01d2System.2-01.d 01.02 Authorized Access to Information Systems | Define cryptographic use | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Develop acceptable use policies and procedures | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Develop organization code of conduct policy | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Document organizational access agreements | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Document personnel acceptance of privacy requirements | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Enforce rules of behavior and access agreements | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Establish a data leakage management procedure | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Notify users of system logon or access | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Prohibit unfair practices | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Protect special information | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Require users to sign access agreement | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Review and sign revised rules of behavior | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Update information security policies | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Update organizational access agreements | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Update rules of behavior and access agreements | 1.1.0 |
| 10 Password Management | 1008.01d2System.3-01.d | 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 10 Password Management | 1009.01d2System.4-01.d | 1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems | Document security strength requirements in acquisition contracts | 1.1.0 |
| 10 Password Management | 1009.01d2System.4-01.d | 1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems | Establish a password policy | 1.1.0 |
| 10 Password Management | 1009.01d2System.4-01.d | 1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems | Implement parameters for memorized secret verifiers | 1.1.0 |
| 10 Password Management | 1009.01d2System.4-01.d | 1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems | Refresh authenticators | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Document security strength requirements in acquisition contracts | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Establish a password policy | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Establish authenticator types and processes | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Establish procedures for initial authenticator distribution | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Implement parameters for memorized secret verifiers | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Implement training for protecting authenticators | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Manage authenticator lifetime and reuse | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Manage Authenticators | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Refresh authenticators | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Reissue authenticators for changed groups and accounts | 1.1.0 |
| 10 Password Management | 1014.01d1System.12-01.d | 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems | Verify identity before distributing authenticators | 1.1.0 |
| 10 Password Management | 1015.01d1System.14-01.d | 1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems | Establish authenticator types and processes | 1.1.0 |
| 10 Password Management | 1015.01d1System.14-01.d | 1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems | Establish procedures for initial authenticator distribution | 1.1.0 |
| 10 Password Management | 1015.01d1System.14-01.d | 1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems | Reissue authenticators for changed groups and accounts | 1.1.0 |
| 10 Password Management | 1015.01d1System.14-01.d | 1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems | Verify identity before distributing authenticators | 1.1.0 |
| 10 Password Management | 1022.01d1System.15-01.d | 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems | Adopt biometric authentication mechanisms | 1.1.0 |
| 10 Password Management | 1022.01d1System.15-01.d | 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems | Control use of portable storage devices | 1.1.0 |
| 10 Password Management | 1022.01d1System.15-01.d | 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems | Document security strength requirements in acquisition contracts | 1.1.0 |
| 10 Password Management | 1022.01d1System.15-01.d | 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems | Establish a password policy | 1.1.0 |
| 10 Password Management | 1022.01d1System.15-01.d | 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems | Identify and authenticate network devices | 1.1.0 |
| 10 Password Management | 1022.01d1System.15-01.d | 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems | Implement parameters for memorized secret verifiers | 1.1.0 |
| 10 Password Management | 1022.01d1System.15-01.d | 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems | Refresh authenticators | 1.1.0 |
| 10 Password Management | 1022.01d1System.15-01.d | 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems | Restrict media use | 1.1.0 |
| 10 Password Management | 1031.01d1System.34510-01.d | 1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems | Document security strength requirements in acquisition contracts | 1.1.0 |
| 10 Password Management | 1031.01d1System.34510-01.d | 1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems | Establish a password policy | 1.1.0 |
| 10 Password Management | 1031.01d1System.34510-01.d | 1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems | Establish procedures for initial authenticator distribution | 1.1.0 |
| 10 Password Management | 1031.01d1System.34510-01.d | 1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems | Implement parameters for memorized secret verifiers | 1.1.0 |
| 10 Password Management | 1031.01d1System.34510-01.d | 1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems | Manage Authenticators | 1.1.0 |
| 10 Password Management | 1031.01d1System.34510-01.d | 1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems | Refresh authenticators | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Assign account managers | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Audit user account status | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Define information system account types | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Document access privileges | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Establish conditions for role membership | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Require approval for account creation | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Review account provisioning logs | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Review user accounts | 1.1.0 |
| 11 Access Control | 1106.01b1System.1-01.b | 1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems | Verify identity before distributing authenticators | 1.1.0 |
| 11 Access Control | 1107.01b1System.2-01.b | 1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems | Establish authenticator types and processes | 1.1.0 |
| 11 Access Control | 1107.01b1System.2-01.b | 1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems | Establish procedures for initial authenticator distribution | 1.1.0 |
| 11 Access Control | 1107.01b1System.2-01.b | 1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems | Manage Authenticators | 1.1.0 |
| 11 Access Control | 1107.01b1System.2-01.b | 1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems | Verify identity before distributing authenticators | 1.1.0 |
| 11 Access Control | 1108.01b1System.3-01.b | 1108.01b1System.3-01.b 01.02 Authorized Access to Information Systems | Assign account managers | 1.1.0 |
| 11 Access Control | 1108.01b1System.3-01.b | 1108.01b1System.3-01.b 01.02 Authorized Access to Information Systems | Define information system account types | 1.1.0 |
| 11 Access Control | 1108.01b1System.3-01.b | 1108.01b1System.3-01.b 01.02 Authorized Access to Information Systems | Monitor account activity | 1.1.0 |
| 11 Access Control | 1108.01b1System.3-01.b | 1108.01b1System.3-01.b 01.02 Authorized Access to Information Systems | Notify Account Managers of customer controlled accounts | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Conduct exit interview upon termination | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Develop acceptable use policies and procedures | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Develop organization code of conduct policy | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Disable authenticators upon termination | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Document personnel acceptance of privacy requirements | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Enforce rules of behavior and access agreements | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Initiate transfer or reassignment actions | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Manage Authenticators | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Modify access authorizations upon personnel transfer | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Notify upon termination or transfer | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Prohibit unfair practices | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Protect against and prevent data theft from departing employees | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Provide periodic security awareness training | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Provide security awareness training for insider threats | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Provide security training for new users | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Provide updated security awareness training | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Reevaluate access upon personnel transfer | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Require approval for account creation | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Retain terminated user data | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Review and sign revised rules of behavior | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Revoke privileged roles as appropriate | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Update rules of behavior and access agreements | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 11 Access Control | 1109.01b1System.479-01.b | 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems | Verify identity before distributing authenticators | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Define and enforce conditions for shared and group accounts | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Develop acceptable use policies and procedures | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Develop organization code of conduct policy | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Document personnel acceptance of privacy requirements | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Enforce rules of behavior and access agreements | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Prohibit unfair practices | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Reissue authenticators for changed groups and accounts | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Review and sign revised rules of behavior | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Update information security policies | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Update rules of behavior and access agreements | 1.1.0 |
| 11 Access Control | 1110.01b1System.5-01.b | 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 11 Access Control | 11109.01q1Organizational.57-01.q | 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| 11 Access Control | 11109.01q1Organizational.57-01.q | 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control | Adopt biometric authentication mechanisms | 1.1.0 |
| 11 Access Control | 11109.01q1Organizational.57-01.q | 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control | Assign system identifiers | 1.1.0 |
| 11 Access Control | 11109.01q1Organizational.57-01.q | 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control | Enforce user uniqueness | 1.1.0 |
| 11 Access Control | 11109.01q1Organizational.57-01.q | 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control | Identify status of individual users | 1.1.0 |
| 11 Access Control | 11109.01q1Organizational.57-01.q | 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control | Prevent identifier reuse for the defined time period | 1.1.0 |
| 11 Access Control | 11109.01q1Organizational.57-01.q | 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 11 Access Control | 1111.01b2System.1-01.b | 1111.01b2System.1-01.b 01.02 Authorized Access to Information Systems | Define and enforce conditions for shared and group accounts | 1.1.0 |
| 11 Access Control | 1111.01b2System.1-01.b | 1111.01b2System.1-01.b 01.02 Authorized Access to Information Systems | Reissue authenticators for changed groups and accounts | 1.1.0 |
| 11 Access Control | 11111.01q2System.4-01.q | 11111.01q2System.4-01.q 01.05 Operating System Access Control | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| 11 Access Control | 11111.01q2System.4-01.q | 11111.01q2System.4-01.q 01.05 Operating System Access Control | Establish authenticator types and processes | 1.1.0 |
| 11 Access Control | 11111.01q2System.4-01.q | 11111.01q2System.4-01.q 01.05 Operating System Access Control | Establish procedures for initial authenticator distribution | 1.1.0 |
| 11 Access Control | 11111.01q2System.4-01.q | 11111.01q2System.4-01.q 01.05 Operating System Access Control | Verify identity before distributing authenticators | 1.1.0 |
| 11 Access Control | 11112.01q2Organizational.67-01.q | 11112.01q2Organizational.67-01.q 01.05 Operating System Access Control | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| 11 Access Control | 11112.01q2Organizational.67-01.q | 11112.01q2Organizational.67-01.q 01.05 Operating System Access Control | Adopt biometric authentication mechanisms | 1.1.0 |
| 11 Access Control | 11112.01q2Organizational.67-01.q | 11112.01q2Organizational.67-01.q 01.05 Operating System Access Control | Satisfy token quality requirements | 1.1.0 |
| 11 Access Control | 1112.01b2System.2-01.b | 1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems | Assign an authorizing official (AO) | 1.1.0 |
| 11 Access Control | 1112.01b2System.2-01.b | 1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems | Distribute authenticators | 1.1.0 |
| 11 Access Control | 1112.01b2System.2-01.b | 1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems | Ensure resources are authorized | 1.1.0 |
| 11 Access Control | 1112.01b2System.2-01.b | 1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems | Establish authenticator types and processes | 1.1.0 |
| 11 Access Control | 1112.01b2System.2-01.b | 1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems | Satisfy token quality requirements | 1.1.0 |
| 11 Access Control | 1112.01b2System.2-01.b | 1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems | Update the security authorization | 1.1.0 |
| 11 Access Control | 1112.01b2System.2-01.b | 1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems | Verify identity before distributing authenticators | 1.1.0 |
| 11 Access Control | 11126.01t1Organizational.12-01.t | 11126.01t1Organizational.12-01.t 01.05 Operating System Access Control | Reauthenticate or terminate a user session | 1.1.0 |
| 11 Access Control | 1114.01h1Organizational.123-01.h | 1114.01h1Organizational.123-01.h 01.03 User Responsibilities | Define and enforce the limit of concurrent sessions | 1.1.0 |
| 11 Access Control | 1114.01h1Organizational.123-01.h | 1114.01h1Organizational.123-01.h 01.03 User Responsibilities | Terminate user session automatically | 1.1.0 |
| 11 Access Control | 11154.02i1Organizational.5-02.i | 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment | Conduct exit interview upon termination | 1.1.0 |
| 11 Access Control | 11154.02i1Organizational.5-02.i | 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment | Disable authenticators upon termination | 1.1.0 |
| 11 Access Control | 11154.02i1Organizational.5-02.i | 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment | Initiate transfer or reassignment actions | 1.1.0 |
| 11 Access Control | 11154.02i1Organizational.5-02.i | 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment | Modify access authorizations upon personnel transfer | 1.1.0 |
| 11 Access Control | 11154.02i1Organizational.5-02.i | 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment | Notify upon termination or transfer | 1.1.0 |
| 11 Access Control | 11154.02i1Organizational.5-02.i | 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment | Protect against and prevent data theft from departing employees | 1.1.0 |
| 11 Access Control | 11154.02i1Organizational.5-02.i | 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment | Reevaluate access upon personnel transfer | 1.1.0 |
| 11 Access Control | 11154.02i1Organizational.5-02.i | 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment | Retain terminated user data | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Automate account management | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Conduct exit interview upon termination | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Disable authenticators upon termination | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Manage system and admin accounts | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Monitor access across the organization | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Notify Account Managers of customer controlled accounts | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Notify upon termination or transfer | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Notify when account is not needed | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Protect against and prevent data theft from departing employees | 1.1.0 |
| 11 Access Control | 11155.02i2Organizational.2-02.i | 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment | Retain terminated user data | 1.1.0 |
| 11 Access Control | 1116.01j1Organizational.145-01.j | 1116.01j1Organizational.145-01.j 01.04 Network Access Control | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| 11 Access Control | 1116.01j1Organizational.145-01.j | 1116.01j1Organizational.145-01.j 01.04 Network Access Control | Document security strength requirements in acquisition contracts | 1.1.0 |
| 11 Access Control | 1116.01j1Organizational.145-01.j | 1116.01j1Organizational.145-01.j 01.04 Network Access Control | Establish a password policy | 1.1.0 |
| 11 Access Control | 1116.01j1Organizational.145-01.j | 1116.01j1Organizational.145-01.j 01.04 Network Access Control | Establish authenticator types and processes | 1.1.0 |
| 11 Access Control | 1116.01j1Organizational.145-01.j | 1116.01j1Organizational.145-01.j 01.04 Network Access Control | Implement parameters for memorized secret verifiers | 1.1.0 |
| 11 Access Control | 1116.01j1Organizational.145-01.j | 1116.01j1Organizational.145-01.j 01.04 Network Access Control | Verify identity before distributing authenticators | 1.1.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Authorize remote access | 1.1.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Document mobility training | 1.1.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Document remote access guidelines | 1.1.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Implement controls to secure alternate work sites | 1.1.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Monitor access across the organization | 1.1.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Notify users of system logon or access | 1.1.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Provide privacy training | 1.1.0 |
| 11 Access Control | 1118.01j2Organizational.124-01.j | 1118.01j2Organizational.124-01.j 01.04 Network Access Control | Route traffic through managed network access points | 1.1.0 |
| 11 Access Control | 11180.01c3System.6-01.c | 11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems | Authorize access to security functions and information | 1.1.0 |
| 11 Access Control | 11180.01c3System.6-01.c | 11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems | Authorize and manage access | 1.1.0 |
| 11 Access Control | 11180.01c3System.6-01.c | 11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 11180.01c3System.6-01.c | 11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 11180.01c3System.6-01.c | 11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 11 Access Control | 11180.01c3System.6-01.c | 11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1119.01j2Organizational.3-01.j | 1119.01j2Organizational.3-01.j 01.04 Network Access Control | Enable detection of network devices | 1.1.0 |
| 11 Access Control | 1119.01j2Organizational.3-01.j | 1119.01j2Organizational.3-01.j 01.04 Network Access Control | Require interconnection security agreements | 1.1.0 |
| 11 Access Control | 1119.01j2Organizational.3-01.j | 1119.01j2Organizational.3-01.j 01.04 Network Access Control | Secure the interface to external systems | 1.1.0 |
| 11 Access Control | 1119.01j2Organizational.3-01.j | 1119.01j2Organizational.3-01.j 01.04 Network Access Control | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 11 Access Control | 11190.01t1Organizational.3-01.t | 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control | Adopt biometric authentication mechanisms | 1.1.0 |
| 11 Access Control | 11190.01t1Organizational.3-01.t | 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control | Control physical access | 1.1.0 |
| 11 Access Control | 11190.01t1Organizational.3-01.t | 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control | Identify and authenticate network devices | 1.1.0 |
| 11 Access Control | 11190.01t1Organizational.3-01.t | 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 11 Access Control | 11190.01t1Organizational.3-01.t | 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control | Manage the input, output, processing, and storage of data | 1.1.0 |
| 11 Access Control | 1120.09ab3System.9-09.ab | 1120.09ab3System.9-09.ab 09.10 Monitoring | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Adopt biometric authentication mechanisms | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Authorize remote access | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Document mobility training | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Document remote access guidelines | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Enforce user uniqueness | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Identify and authenticate network devices | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Implement controls to secure alternate work sites | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Notify users of system logon or access | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Provide privacy training | 1.1.0 |
| 11 Access Control | 1121.01j3Organizational.2-01.j | 1121.01j3Organizational.2-01.j 01.04 Network Access Control | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 11 Access Control | 11219.01b1Organizational.10-01.b | 11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems | Define access authorizations to support separation of duties | 1.1.0 |
| 11 Access Control | 11219.01b1Organizational.10-01.b | 11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 11219.01b1Organizational.10-01.b | 11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems | Document separation of duties | 1.1.0 |
| 11 Access Control | 11219.01b1Organizational.10-01.b | 11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 11219.01b1Organizational.10-01.b | 11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems | Separate duties of individuals | 1.1.0 |
| 11 Access Control | 1122.01q1System.1-01.q | 1122.01q1System.1-01.q 01.05 Operating System Access Control | Accept only FICAM-approved third-party credentials | 1.1.0 |
| 11 Access Control | 1122.01q1System.1-01.q | 1122.01q1System.1-01.q 01.05 Operating System Access Control | Adopt biometric authentication mechanisms | 1.1.0 |
| 11 Access Control | 1122.01q1System.1-01.q | 1122.01q1System.1-01.q 01.05 Operating System Access Control | Conform to FICAM-issued profiles | 1.1.0 |
| 11 Access Control | 1122.01q1System.1-01.q | 1122.01q1System.1-01.q 01.05 Operating System Access Control | Employ FICAM-approved resources to accept third-party credentials | 1.1.0 |
| 11 Access Control | 1122.01q1System.1-01.q | 1122.01q1System.1-01.q 01.05 Operating System Access Control | Enforce user uniqueness | 1.1.0 |
| 11 Access Control | 1122.01q1System.1-01.q | 1122.01q1System.1-01.q 01.05 Operating System Access Control | Identify and authenticate non-organizational users | 1.1.0 |
| 11 Access Control | 1122.01q1System.1-01.q | 1122.01q1System.1-01.q 01.05 Operating System Access Control | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Assign account managers | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Audit user account status | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Conduct exit interview upon termination | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Define and enforce conditions for shared and group accounts | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Define information system account types | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Disable authenticators upon termination | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Document access privileges | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Establish conditions for role membership | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Initiate transfer or reassignment actions | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Manage Authenticators | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Modify access authorizations upon personnel transfer | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Monitor account activity | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Notify Account Managers of customer controlled accounts | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Notify upon termination or transfer | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Protect against and prevent data theft from departing employees | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Provide periodic security awareness training | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Provide security training for new users | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Provide updated security awareness training | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Reevaluate access upon personnel transfer | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Reissue authenticators for changed groups and accounts | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Require approval for account creation | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Retain terminated user data | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Review account provisioning logs | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Review user accounts | 1.1.0 |
| 11 Access Control | 11220.01b1System.10-01.b | 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems | Revoke privileged roles as appropriate | 1.1.0 |
| 11 Access Control | 1123.01q1System.2-01.q | 1123.01q1System.2-01.q 01.05 Operating System Access Control | Authorize access to security functions and information | 1.1.0 |
| 11 Access Control | 1123.01q1System.2-01.q | 1123.01q1System.2-01.q 01.05 Operating System Access Control | Authorize and manage access | 1.1.0 |
| 11 Access Control | 1123.01q1System.2-01.q | 1123.01q1System.2-01.q 01.05 Operating System Access Control | Design an access control model | 1.1.0 |
| 11 Access Control | 1123.01q1System.2-01.q | 1123.01q1System.2-01.q 01.05 Operating System Access Control | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1123.01q1System.2-01.q | 1123.01q1System.2-01.q 01.05 Operating System Access Control | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 11 Access Control | 1124.01q1System.34-01.q | 1124.01q1System.34-01.q 01.05 Operating System Access Control | Define and enforce conditions for shared and group accounts | 1.1.0 |
| 11 Access Control | 1124.01q1System.34-01.q | 1124.01q1System.34-01.q 01.05 Operating System Access Control | Reissue authenticators for changed groups and accounts | 1.1.0 |
| 11 Access Control | 1125.01q2System.1-01.q | 1125.01q2System.1-01.q 01.05 Operating System Access Control | Adopt biometric authentication mechanisms | 1.1.0 |
| 11 Access Control | 1125.01q2System.1-01.q | 1125.01q2System.1-01.q 01.05 Operating System Access Control | Enforce user uniqueness | 1.1.0 |
| 11 Access Control | 1125.01q2System.1-01.q | 1125.01q2System.1-01.q 01.05 Operating System Access Control | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 11 Access Control | 1127.01q2System.3-01.q | 1127.01q2System.3-01.q 01.05 Operating System Access Control | Distribute authenticators | 1.1.0 |
| 11 Access Control | 1128.01q2System.5-01.q | 1128.01q2System.5-01.q 01.05 Operating System Access Control | Develop acceptable use policies and procedures | 1.1.0 |
| 11 Access Control | 1128.01q2System.5-01.q | 1128.01q2System.5-01.q 01.05 Operating System Access Control | Enforce rules of behavior and access agreements | 1.1.0 |
| 11 Access Control | 1128.01q2System.5-01.q | 1128.01q2System.5-01.q 01.05 Operating System Access Control | Provide privacy training | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Audit privileged functions | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Authorize access to security functions and information | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Authorize and manage access | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Define information system account types | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Design an access control model | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Monitor account activity | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Monitor privileged role assignment | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Revoke privileged roles as appropriate | 1.1.0 |
| 11 Access Control | 1129.01v1System.12-01.v | 1129.01v1System.12-01.v 01.06 Application and Information Access Control | Use privileged identity management | 1.1.0 |
| 11 Access Control | 1130.01v2System.1-01.v | 1130.01v2System.1-01.v 01.06 Application and Information Access Control | Assign account managers | 1.1.0 |
| 11 Access Control | 1130.01v2System.1-01.v | 1130.01v2System.1-01.v 01.06 Application and Information Access Control | Define information system account types | 1.1.0 |
| 11 Access Control | 1130.01v2System.1-01.v | 1130.01v2System.1-01.v 01.06 Application and Information Access Control | Document access privileges | 1.1.0 |
| 11 Access Control | 1130.01v2System.1-01.v | 1130.01v2System.1-01.v 01.06 Application and Information Access Control | Establish conditions for role membership | 1.1.0 |
| 11 Access Control | 1130.01v2System.1-01.v | 1130.01v2System.1-01.v 01.06 Application and Information Access Control | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1131.01v2System.2-01.v | 1131.01v2System.2-01.v 01.06 Application and Information Access Control | Control information flow | 1.1.0 |
| 11 Access Control | 1131.01v2System.2-01.v | 1131.01v2System.2-01.v 01.06 Application and Information Access Control | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 11 Access Control | 1131.01v2System.2-01.v | 1131.01v2System.2-01.v 01.06 Application and Information Access Control | Establish firewall and router configuration standards | 1.1.0 |
| 11 Access Control | 1131.01v2System.2-01.v | 1131.01v2System.2-01.v 01.06 Application and Information Access Control | Establish network segmentation for card holder data environment | 1.1.0 |
| 11 Access Control | 1131.01v2System.2-01.v | 1131.01v2System.2-01.v 01.06 Application and Information Access Control | Identify and manage downstream information exchanges | 1.1.0 |
| 11 Access Control | 1131.01v2System.2-01.v | 1131.01v2System.2-01.v 01.06 Application and Information Access Control | Information flow control using security policy filters | 1.1.0 |
| 11 Access Control | 1132.01v2System.3-01.v | 1132.01v2System.3-01.v 01.06 Application and Information Access Control | Establish a data leakage management procedure | 1.1.0 |
| 11 Access Control | 1132.01v2System.3-01.v | 1132.01v2System.3-01.v 01.06 Application and Information Access Control | Protect special information | 1.1.0 |
| 11 Access Control | 1133.01v2System.4-01.v | 1133.01v2System.4-01.v 01.06 Application and Information Access Control | Identify actions allowed without authentication | 1.1.0 |
| 11 Access Control | 1134.01v3System.1-01.v | 1134.01v3System.1-01.v 01.06 Application and Information Access Control | Establish a data leakage management procedure | 1.1.0 |
| 11 Access Control | 1134.01v3System.1-01.v | 1134.01v3System.1-01.v 01.06 Application and Information Access Control | Limit privileges to make changes in production environment | 1.1.0 |
| 11 Access Control | 1134.01v3System.1-01.v | 1134.01v3System.1-01.v 01.06 Application and Information Access Control | Protect special information | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Conduct exit interview upon termination | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Disable authenticators upon termination | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Initiate transfer or reassignment actions | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Modify access authorizations upon personnel transfer | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Notify upon termination or transfer | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Protect against and prevent data theft from departing employees | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Reevaluate access upon personnel transfer | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Retain terminated user data | 1.1.0 |
| 11 Access Control | 1135.02i1Organizational.1234-02.i | 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment | Revoke privileged roles as appropriate | 1.1.0 |
| 11 Access Control | 1136.02i2Organizational.1-02.i | 1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment | Conduct exit interview upon termination | 1.1.0 |
| 11 Access Control | 1136.02i2Organizational.1-02.i | 1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment | Disable authenticators upon termination | 1.1.0 |
| 11 Access Control | 1136.02i2Organizational.1-02.i | 1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment | Disable user accounts posing a significant risk | 1.1.0 |
| 11 Access Control | 1136.02i2Organizational.1-02.i | 1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment | Notify upon termination or transfer | 1.1.0 |
| 11 Access Control | 1136.02i2Organizational.1-02.i | 1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment | Protect against and prevent data theft from departing employees | 1.1.0 |
| 11 Access Control | 1136.02i2Organizational.1-02.i | 1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment | Retain terminated user data | 1.1.0 |
| 11 Access Control | 1137.06e1Organizational.1-06.e | 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements | Develop acceptable use policies and procedures | 1.1.0 |
| 11 Access Control | 1137.06e1Organizational.1-06.e | 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements | Develop organization code of conduct policy | 1.1.0 |
| 11 Access Control | 1137.06e1Organizational.1-06.e | 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements | Document personnel acceptance of privacy requirements | 1.1.0 |
| 11 Access Control | 1137.06e1Organizational.1-06.e | 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements | Enforce rules of behavior and access agreements | 1.1.0 |
| 11 Access Control | 1137.06e1Organizational.1-06.e | 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements | Prohibit unfair practices | 1.1.0 |
| 11 Access Control | 1137.06e1Organizational.1-06.e | 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements | Review and sign revised rules of behavior | 1.1.0 |
| 11 Access Control | 1137.06e1Organizational.1-06.e | 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements | Update rules of behavior and access agreements | 1.1.0 |
| 11 Access Control | 1137.06e1Organizational.1-06.e | 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 11 Access Control | 1139.01b1System.68-01.b | 1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems | Define and enforce conditions for shared and group accounts | 1.1.0 |
| 11 Access Control | 1139.01b1System.68-01.b | 1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems | Define information system account types | 1.1.0 |
| 11 Access Control | 1139.01b1System.68-01.b | 1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems | Document access privileges | 1.1.0 |
| 11 Access Control | 1139.01b1System.68-01.b | 1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems | Establish conditions for role membership | 1.1.0 |
| 11 Access Control | 1139.01b1System.68-01.b | 1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems | Reissue authenticators for changed groups and accounts | 1.1.0 |
| 11 Access Control | 1139.01b1System.68-01.b | 1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Authorize access to security functions and information | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Authorize and manage access | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Monitor account activity | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Notify Account Managers of customer controlled accounts | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Require approval for account creation | 1.1.0 |
| 11 Access Control | 1143.01c1System.123-01.c | 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1144.01c1System.4-01.c | 1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| 11 Access Control | 1144.01c1System.4-01.c | 1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems | Authorize access to security functions and information | 1.1.0 |
| 11 Access Control | 1144.01c1System.4-01.c | 1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems | Authorize and manage access | 1.1.0 |
| 11 Access Control | 1144.01c1System.4-01.c | 1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 1144.01c1System.4-01.c | 1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1144.01c1System.4-01.c | 1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 11 Access Control | 1145.01c2System.1-01.c | 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems | Audit privileged functions | 1.1.0 |
| 11 Access Control | 1145.01c2System.1-01.c | 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems | Monitor account activity | 1.1.0 |
| 11 Access Control | 1145.01c2System.1-01.c | 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems | Monitor privileged role assignment | 1.1.0 |
| 11 Access Control | 1145.01c2System.1-01.c | 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems | Require approval for account creation | 1.1.0 |
| 11 Access Control | 1145.01c2System.1-01.c | 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1145.01c2System.1-01.c | 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems | Revoke privileged roles as appropriate | 1.1.0 |
| 11 Access Control | 1145.01c2System.1-01.c | 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems | There should be more than one owner assigned to your subscription | 3.0.0 |
| 11 Access Control | 1145.01c2System.1-01.c | 1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems | Use privileged identity management | 1.1.0 |
| 11 Access Control | 1146.01c2System.23-01.c | 1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems | Authorize access to security functions and information | 1.1.0 |
| 11 Access Control | 1146.01c2System.23-01.c | 1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems | Authorize and manage access | 1.1.0 |
| 11 Access Control | 1146.01c2System.23-01.c | 1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 1146.01c2System.23-01.c | 1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1146.01c2System.23-01.c | 1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 11 Access Control | 1146.01c2System.23-01.c | 1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems | Enforce software execution privileges | 1.1.0 |
| 11 Access Control | 1146.01c2System.23-01.c | 1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 11 Access Control | 1146.01c2System.23-01.c | 1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1147.01c2System.456-01.c | 1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems | Authorize access to security functions and information | 1.1.0 |
| 11 Access Control | 1147.01c2System.456-01.c | 1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems | Authorize and manage access | 1.1.0 |
| 11 Access Control | 1147.01c2System.456-01.c | 1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 11 Access Control | 1147.01c2System.456-01.c | 1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 1147.01c2System.456-01.c | 1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1147.01c2System.456-01.c | 1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Authorize access to security functions and information | 1.1.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Authorize and manage access | 1.1.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1150.01c2System.10-01.c | 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems | Control information flow | 1.1.0 |
| 11 Access Control | 1150.01c2System.10-01.c | 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 11 Access Control | 1150.01c2System.10-01.c | 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems | Establish firewall and router configuration standards | 1.1.0 |
| 11 Access Control | 1150.01c2System.10-01.c | 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems | Establish network segmentation for card holder data environment | 1.1.0 |
| 11 Access Control | 1150.01c2System.10-01.c | 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems | Identify and manage downstream information exchanges | 1.1.0 |
| 11 Access Control | 1150.01c2System.10-01.c | 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems | Information flow control using security policy filters | 1.1.0 |
| 11 Access Control | 1151.01c3System.1-01.c | 1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| 11 Access Control | 1151.01c3System.1-01.c | 1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems | Audit privileged functions | 1.1.0 |
| 11 Access Control | 1151.01c3System.1-01.c | 1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| 11 Access Control | 1151.01c3System.1-01.c | 1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems | Monitor privileged role assignment | 1.1.0 |
| 11 Access Control | 1151.01c3System.1-01.c | 1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1151.01c3System.1-01.c | 1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems | Revoke privileged roles as appropriate | 1.1.0 |
| 11 Access Control | 1151.01c3System.1-01.c | 1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems | Use privileged identity management | 1.1.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | Audit privileged functions | 1.1.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | Monitor privileged role assignment | 1.1.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | Restrict access to privileged accounts | 1.1.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | Revoke privileged roles as appropriate | 1.1.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | There should be more than one owner assigned to your subscription | 3.0.0 |
| 11 Access Control | 1152.01c3System.2-01.c | 1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems | Use privileged identity management | 1.1.0 |
| 11 Access Control | 1153.01c3System.35-01.c | 1153.01c3System.35-01.c 01.02 Authorized Access to Information Systems | Require approval for account creation | 1.1.0 |
| 11 Access Control | 1166.01e1System.12-01.e | 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems | Audit user account status | 1.1.0 |
| 11 Access Control | 1166.01e1System.12-01.e | 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems | Initiate transfer or reassignment actions | 1.1.0 |
| 11 Access Control | 1166.01e1System.12-01.e | 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems | Modify access authorizations upon personnel transfer | 1.1.0 |
| 11 Access Control | 1166.01e1System.12-01.e | 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems | Notify Account Managers of customer controlled accounts | 1.1.0 |
| 11 Access Control | 1166.01e1System.12-01.e | 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems | Notify upon termination or transfer | 1.1.0 |
| 11 Access Control | 1166.01e1System.12-01.e | 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems | Reevaluate access upon personnel transfer | 1.1.0 |
| 11 Access Control | 1166.01e1System.12-01.e | 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems | Review account provisioning logs | 1.1.0 |
| 11 Access Control | 1166.01e1System.12-01.e | 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems | Review user accounts | 1.1.0 |
| 11 Access Control | 1167.01e2System.1-01.e | 1167.01e2System.1-01.e 01.02 Authorized Access to Information Systems | Assign system identifiers | 1.1.0 |
| 11 Access Control | 1167.01e2System.1-01.e | 1167.01e2System.1-01.e 01.02 Authorized Access to Information Systems | Identify status of individual users | 1.1.0 |
| 11 Access Control | 1168.01e2System.2-01.e | 1168.01e2System.2-01.e 01.02 Authorized Access to Information Systems | Design an access control model | 1.1.0 |
| 11 Access Control | 1168.01e2System.2-01.e | 1168.01e2System.2-01.e 01.02 Authorized Access to Information Systems | Employ least privilege access | 1.1.0 |
| 11 Access Control | 1168.01e2System.2-01.e | 1168.01e2System.2-01.e 01.02 Authorized Access to Information Systems | Reassign or remove user privileges as needed | 1.1.0 |
| 11 Access Control | 1168.01e2System.2-01.e | 1168.01e2System.2-01.e 01.02 Authorized Access to Information Systems | Review user privileges | 1.1.0 |
| 11 Access Control | 1175.01j1Organizational.8-01.j | 1175.01j1Organizational.8-01.j 01.04 Network Access Control | Adopt biometric authentication mechanisms | 1.1.0 |
| 11 Access Control | 1175.01j1Organizational.8-01.j | 1175.01j1Organizational.8-01.j 01.04 Network Access Control | Enforce user uniqueness | 1.1.0 |
| 11 Access Control | 1175.01j1Organizational.8-01.j | 1175.01j1Organizational.8-01.j 01.04 Network Access Control | Identify and authenticate network devices | 1.1.0 |
| 11 Access Control | 1175.01j1Organizational.8-01.j | 1175.01j1Organizational.8-01.j 01.04 Network Access Control | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 11 Access Control | 1178.01j2Organizational.7-01.j | 1178.01j2Organizational.7-01.j 01.04 Network Access Control | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| 11 Access Control | 1178.01j2Organizational.7-01.j | 1178.01j2Organizational.7-01.j 01.04 Network Access Control | Enforce user uniqueness | 1.1.0 |
| 11 Access Control | 1178.01j2Organizational.7-01.j | 1178.01j2Organizational.7-01.j 01.04 Network Access Control | Require use of individual authenticators | 1.1.0 |
| 11 Access Control | 1178.01j2Organizational.7-01.j | 1178.01j2Organizational.7-01.j 01.04 Network Access Control | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 11 Access Control | 1179.01j3Organizational.1-01.j | 1179.01j3Organizational.1-01.j 01.04 Network Access Control | Authorize remote access | 1.1.0 |
| 11 Access Control | 1179.01j3Organizational.1-01.j | 1179.01j3Organizational.1-01.j 01.04 Network Access Control | Document mobility training | 1.1.0 |
| 11 Access Control | 1179.01j3Organizational.1-01.j | 1179.01j3Organizational.1-01.j 01.04 Network Access Control | Document remote access guidelines | 1.1.0 |
| 11 Access Control | 1179.01j3Organizational.1-01.j | 1179.01j3Organizational.1-01.j 01.04 Network Access Control | Implement controls to secure alternate work sites | 1.1.0 |
| 11 Access Control | 1179.01j3Organizational.1-01.j | 1179.01j3Organizational.1-01.j 01.04 Network Access Control | Monitor access across the organization | 1.1.0 |
| 11 Access Control | 1179.01j3Organizational.1-01.j | 1179.01j3Organizational.1-01.j 01.04 Network Access Control | Provide privacy training | 1.1.0 |
| 11 Access Control | 1192.01l1Organizational.1-01.l | 1192.01l1Organizational.1-01.l 01.04 Network Access Control | Control physical access | 1.1.0 |
| 11 Access Control | 1192.01l1Organizational.1-01.l | 1192.01l1Organizational.1-01.l 01.04 Network Access Control | Define a physical key management process | 1.1.0 |
| 11 Access Control | 1192.01l1Organizational.1-01.l | 1192.01l1Organizational.1-01.l 01.04 Network Access Control | Establish and maintain an asset inventory | 1.1.0 |
| 11 Access Control | 1192.01l1Organizational.1-01.l | 1192.01l1Organizational.1-01.l 01.04 Network Access Control | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 11 Access Control | 1193.01l2Organizational.13-01.l | 1193.01l2Organizational.13-01.l 01.04 Network Access Control | Control physical access | 1.1.0 |
| 11 Access Control | 1193.01l2Organizational.13-01.l | 1193.01l2Organizational.13-01.l 01.04 Network Access Control | Define a physical key management process | 1.1.0 |
| 11 Access Control | 1193.01l2Organizational.13-01.l | 1193.01l2Organizational.13-01.l 01.04 Network Access Control | Establish and maintain an asset inventory | 1.1.0 |
| 11 Access Control | 1193.01l2Organizational.13-01.l | 1193.01l2Organizational.13-01.l 01.04 Network Access Control | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Develop acceptable use policies and procedures | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Develop organization code of conduct policy | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Document personnel acceptance of privacy requirements | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Enforce rules of behavior and access agreements | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Implement privacy notice delivery methods | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Prohibit unfair practices | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Provide privacy notice | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Review and sign revised rules of behavior | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Update information security policies | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Update rules of behavior and access agreements | 1.1.0 |
| 12 Audit Logging & Monitoring | 1201.06e1Organizational.2-06.e | 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 12 Audit Logging & Monitoring | 1202.09aa1System.1-09.aa | 1202.09aa1System.1-09.aa 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1202.09aa1System.1-09.aa | 1202.09aa1System.1-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1202.09aa1System.1-09.aa | 1202.09aa1System.1-09.aa 09.10 Monitoring | Review and update the events defined in AU-02 | 1.1.0 |
| 12 Audit Logging & Monitoring | 1203.09aa1System.2-09.aa | 1203.09aa1System.2-09.aa 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1203.09aa1System.2-09.aa | 1203.09aa1System.2-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1204.09aa1System.3-09.aa | 1204.09aa1System.3-09.aa 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1204.09aa1System.3-09.aa | 1204.09aa1System.3-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1204.09aa1System.3-09.aa | 1204.09aa1System.3-09.aa 09.10 Monitoring | Monitor account activity | 1.1.0 |
| 12 Audit Logging & Monitoring | 1205.09aa2System.1-09.aa | 1205.09aa2System.1-09.aa 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1205.09aa2System.1-09.aa | 1205.09aa2System.1-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1205.09aa2System.1-09.aa | 1205.09aa2System.1-09.aa 09.10 Monitoring | Ensure audit records are not altered | 1.1.0 |
| 12 Audit Logging & Monitoring | 1205.09aa2System.1-09.aa | 1205.09aa2System.1-09.aa 09.10 Monitoring | Provide audit review, analysis, and reporting capability | 1.1.0 |
| 12 Audit Logging & Monitoring | 1205.09aa2System.1-09.aa | 1205.09aa2System.1-09.aa 09.10 Monitoring | Provide capability to process customer-controlled audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 1206.09aa2System.23-09.aa | 1206.09aa2System.23-09.aa 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1206.09aa2System.23-09.aa | 1206.09aa2System.23-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1206.09aa2System.23-09.aa | 1206.09aa2System.23-09.aa 09.10 Monitoring | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| 12 Audit Logging & Monitoring | 1206.09aa2System.23-09.aa | 1206.09aa2System.23-09.aa 09.10 Monitoring | Prohibit binary/machine-executable code | 1.1.0 |
| 12 Audit Logging & Monitoring | 1206.09aa2System.23-09.aa | 1206.09aa2System.23-09.aa 09.10 Monitoring | Verify software, firmware and information integrity | 1.1.0 |
| 12 Audit Logging & Monitoring | 1206.09aa2System.23-09.aa | 1206.09aa2System.23-09.aa 09.10 Monitoring | View and configure system diagnostic data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Adhere to retention periods defined | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Audit privileged functions | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Audit user account status | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Enable dual or joint authorization | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Govern and monitor audit processing activities | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Protect audit information | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Retain security policies and procedures | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Retain terminated user data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1207.09aa2System.4-09.aa | 1207.09aa2System.4-09.aa 09.10 Monitoring | Review audit data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Audit user account status | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Automate account management | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Conduct a security impact analysis | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Develop and maintain a vulnerability management standard | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Establish a risk management strategy | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Establish and document change control processes | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Establish configuration management requirements for developers | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Manage system and admin accounts | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Monitor access across the organization | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Notify when account is not needed | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Perform a privacy impact assessment | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Perform a risk assessment | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Perform audit for configuration change control | 1.1.0 |
| 12 Audit Logging & Monitoring | 1208.09aa3System.1-09.aa | 1208.09aa3System.1-09.aa 09.10 Monitoring | Verify software, firmware and information integrity | 1.1.0 |
| 12 Audit Logging & Monitoring | 1209.09aa3System.2-09.aa | 1209.09aa3System.2-09.aa 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1209.09aa3System.2-09.aa | 1209.09aa3System.2-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Adhere to retention periods defined | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Audit privileged functions | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Audit user account status | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Retain security policies and procedures | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Retain terminated user data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Review and update the events defined in AU-02 | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Review audit data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1210.09aa3System.3-09.aa | 1210.09aa3System.3-09.aa 09.10 Monitoring | Use system clocks for audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 12100.09ab2System.15-09.ab | 12100.09ab2System.15-09.ab 09.10 Monitoring | Discover any indicators of compromise | 1.1.0 |
| 12 Audit Logging & Monitoring | 12100.09ab2System.15-09.ab | 12100.09ab2System.15-09.ab 09.10 Monitoring | Document wireless access security controls | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Adjust level of audit review, analysis, and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Correlate audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Develop audit and accountability policies and procedures | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Develop information security policies and procedures | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Establish requirements for audit review and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Govern policies and procedures | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Integrate audit review, analysis, and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Integrate cloud app security with a siem | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Review account provisioning logs | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Review administrator assignments weekly | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Review audit data | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Review cloud identity report overview | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Review controlled folder access events | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Review file and folder activity | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Review role group changes weekly | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Specify permitted actions associated with customer audit information | 1.1.0 |
| 12 Audit Logging & Monitoring | 12101.09ab1Organizational.3-09.ab | 12101.09ab1Organizational.3-09.ab 09.10 Monitoring | Update information security policies | 1.1.0 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Conduct incident response testing | 1.1.0 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Develop POA&M | 1.1.0 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Establish an information security program | 1.1.0 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Run simulation attacks | 1.1.0 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Select additional testing for security control assessments | 1.1.0 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Update POA&M items | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Correlate audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Establish requirements for audit review and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Integrate audit review, analysis, and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Integrate cloud app security with a siem | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Review account provisioning logs | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Review administrator assignments weekly | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Review audit data | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Review cloud identity report overview | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Review controlled folder access events | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Review file and folder activity | 1.1.0 |
| 12 Audit Logging & Monitoring | 12103.09ab1Organizational.5-09.ab | 12103.09ab1Organizational.5-09.ab 09.10 Monitoring | Review role group changes weekly | 1.1.0 |
| 12 Audit Logging & Monitoring | 1211.09aa3System.4-09.aa | 1211.09aa3System.4-09.aa 09.10 Monitoring | Adhere to retention periods defined | 1.1.0 |
| 12 Audit Logging & Monitoring | 1211.09aa3System.4-09.aa | 1211.09aa3System.4-09.aa 09.10 Monitoring | Establish and document change control processes | 1.1.0 |
| 12 Audit Logging & Monitoring | 1211.09aa3System.4-09.aa | 1211.09aa3System.4-09.aa 09.10 Monitoring | Establish configuration management requirements for developers | 1.1.0 |
| 12 Audit Logging & Monitoring | 1211.09aa3System.4-09.aa | 1211.09aa3System.4-09.aa 09.10 Monitoring | Perform audit for configuration change control | 1.1.0 |
| 12 Audit Logging & Monitoring | 1211.09aa3System.4-09.aa | 1211.09aa3System.4-09.aa 09.10 Monitoring | Perform disposition review | 1.1.0 |
| 12 Audit Logging & Monitoring | 1211.09aa3System.4-09.aa | 1211.09aa3System.4-09.aa 09.10 Monitoring | Verify personal data is deleted at the end of processing | 1.1.0 |
| 12 Audit Logging & Monitoring | 1212.09ab1System.1-09.ab | 1212.09ab1System.1-09.ab 09.10 Monitoring | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | 1.0.0 |
| 12 Audit Logging & Monitoring | 1212.09ab1System.1-09.ab | 1212.09ab1System.1-09.ab 09.10 Monitoring | Obtain legal opinion for monitoring system activities | 1.1.0 |
| 12 Audit Logging & Monitoring | 1212.09ab1System.1-09.ab | 1212.09ab1System.1-09.ab 09.10 Monitoring | Provide monitoring information as needed | 1.1.0 |
| 12 Audit Logging & Monitoring | 1213.09ab2System.128-09.ab | 1213.09ab2System.128-09.ab 09.10 Monitoring | Authorize, monitor, and control voip | 1.1.0 |
| 12 Audit Logging & Monitoring | 1213.09ab2System.128-09.ab | 1213.09ab2System.128-09.ab 09.10 Monitoring | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| 12 Audit Logging & Monitoring | 1213.09ab2System.128-09.ab | 1213.09ab2System.128-09.ab 09.10 Monitoring | Route traffic through managed network access points | 1.1.0 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Audit privileged functions | 1.1.0 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Monitor privileged role assignment | 1.1.0 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Restrict access to privileged accounts | 1.1.0 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Revoke privileged roles as appropriate | 1.1.0 |
| 12 Audit Logging & Monitoring | 1214.09ab2System.3456-09.ab | 1214.09ab2System.3456-09.ab 09.10 Monitoring | Use privileged identity management | 1.1.0 |
| 12 Audit Logging & Monitoring | 1215.09ab2System.7-09.ab | 1215.09ab2System.7-09.ab 09.10 Monitoring | Ensure audit records are not altered | 1.1.0 |
| 12 Audit Logging & Monitoring | 1215.09ab2System.7-09.ab | 1215.09ab2System.7-09.ab 09.10 Monitoring | Provide audit review, analysis, and reporting capability | 1.1.0 |
| 12 Audit Logging & Monitoring | 1215.09ab2System.7-09.ab | 1215.09ab2System.7-09.ab 09.10 Monitoring | Provide capability to process customer-controlled audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Alert personnel of information spillage | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Correlate audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Develop an incident response plan | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Document security operations | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Establish requirements for audit review and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Integrate audit review, analysis, and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Integrate cloud app security with a siem | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Review account provisioning logs | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Review administrator assignments weekly | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Review and update the events defined in AU-02 | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Review audit data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Review cloud identity report overview | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Review controlled folder access events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Review file and folder activity | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Review role group changes weekly | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 12 Audit Logging & Monitoring | 1216.09ab3System.12-09.ab | 1216.09ab3System.12-09.ab 09.10 Monitoring | Turn on sensors for endpoint security solution | 1.1.0 |
| 12 Audit Logging & Monitoring | 1217.09ab3System.3-09.ab | 1217.09ab3System.3-09.ab 09.10 Monitoring | Alert personnel of information spillage | 1.1.0 |
| 12 Audit Logging & Monitoring | 1217.09ab3System.3-09.ab | 1217.09ab3System.3-09.ab 09.10 Monitoring | Develop an incident response plan | 1.1.0 |
| 12 Audit Logging & Monitoring | 1217.09ab3System.3-09.ab | 1217.09ab3System.3-09.ab 09.10 Monitoring | Document wireless access security controls | 1.1.0 |
| 12 Audit Logging & Monitoring | 1217.09ab3System.3-09.ab | 1217.09ab3System.3-09.ab 09.10 Monitoring | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 12 Audit Logging & Monitoring | 1218.09ab3System.47-09.ab | 1218.09ab3System.47-09.ab 09.10 Monitoring | Alert personnel of information spillage | 1.1.0 |
| 12 Audit Logging & Monitoring | 1218.09ab3System.47-09.ab | 1218.09ab3System.47-09.ab 09.10 Monitoring | Authorize, monitor, and control voip | 1.1.0 |
| 12 Audit Logging & Monitoring | 1218.09ab3System.47-09.ab | 1218.09ab3System.47-09.ab 09.10 Monitoring | Develop an incident response plan | 1.1.0 |
| 12 Audit Logging & Monitoring | 1218.09ab3System.47-09.ab | 1218.09ab3System.47-09.ab 09.10 Monitoring | Document security operations | 1.1.0 |
| 12 Audit Logging & Monitoring | 1218.09ab3System.47-09.ab | 1218.09ab3System.47-09.ab 09.10 Monitoring | Route traffic through managed network access points | 1.1.0 |
| 12 Audit Logging & Monitoring | 1218.09ab3System.47-09.ab | 1218.09ab3System.47-09.ab 09.10 Monitoring | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 12 Audit Logging & Monitoring | 1218.09ab3System.47-09.ab | 1218.09ab3System.47-09.ab 09.10 Monitoring | Turn on sensors for endpoint security solution | 1.1.0 |
| 12 Audit Logging & Monitoring | 1219.09ab3System.10-09.ab | 1219.09ab3System.10-09.ab 09.10 Monitoring | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | 1.0.0 |
| 12 Audit Logging & Monitoring | 1219.09ab3System.10-09.ab | 1219.09ab3System.10-09.ab 09.10 Monitoring | Ensure audit records are not altered | 1.1.0 |
| 12 Audit Logging & Monitoring | 1219.09ab3System.10-09.ab | 1219.09ab3System.10-09.ab 09.10 Monitoring | Provide audit review, analysis, and reporting capability | 1.1.0 |
| 12 Audit Logging & Monitoring | 1219.09ab3System.10-09.ab | 1219.09ab3System.10-09.ab 09.10 Monitoring | Provide capability to process customer-controlled audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 1220.09ab3System.56-09.ab | 1220.09ab3System.56-09.ab 09.10 Monitoring | Authorize, monitor, and control voip | 1.1.0 |
| 12 Audit Logging & Monitoring | 1220.09ab3System.56-09.ab | 1220.09ab3System.56-09.ab 09.10 Monitoring | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| 12 Audit Logging & Monitoring | 1220.09ab3System.56-09.ab | 1220.09ab3System.56-09.ab 09.10 Monitoring | Route traffic through managed network access points | 1.1.0 |
| 12 Audit Logging & Monitoring | 1220.09ab3System.56-09.ab | 1220.09ab3System.56-09.ab 09.10 Monitoring | Verify software, firmware and information integrity | 1.1.0 |
| 12 Audit Logging & Monitoring | 1220.09ab3System.56-09.ab | 1220.09ab3System.56-09.ab 09.10 Monitoring | View and configure system diagnostic data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Alert personnel of information spillage | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Correlate audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Develop an incident response plan | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Disseminate security alerts to personnel | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Establish a threat intelligence program | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Generate internal security alerts | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Implement security directives | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Integrate cloud app security with a siem | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Provide capability to process customer-controlled audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 1222.09ab3System.8-09.ab | 1222.09ab3System.8-09.ab 09.10 Monitoring | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 12 Audit Logging & Monitoring | 1229.09c1Organizational.1-09.c | 1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1229.09c1Organizational.1-09.c | 1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1229.09c1Organizational.1-09.c | 1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Audit privileged functions | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Audit user account status | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Authorize access to security functions and information | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Authorize and manage access | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Configure Azure Audit capabilities | 1.1.1 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Determine auditable events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Enforce logical access | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Require approval for account creation | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Review audit data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Review user groups and applications with access to sensitive data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1230.09c2Organizational.1-09.c | 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1231.09c2Organizational.23-09.c | 1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1231.09c2Organizational.23-09.c | 1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1231.09c2Organizational.23-09.c | 1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Audit privileged functions | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Authorize access to security functions and information | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Authorize and manage access | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Design an access control model | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Employ least privilege access | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Enable dual or joint authorization | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Enforce software execution privileges | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Monitor privileged role assignment | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Protect audit information | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Reassign or remove user privileges as needed | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Require approval for account creation | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Restrict access to privileged accounts | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Review user privileges | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Revoke privileged roles as appropriate | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Use privileged identity management | 1.1.0 |
| 12 Audit Logging & Monitoring | 1233.09c3Organizational.3-09.c | 1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1233.09c3Organizational.3-09.c | 1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1233.09c3Organizational.3-09.c | 1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Audit privileged functions | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Correlate audit records | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Establish requirements for audit review and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Integrate audit review, analysis, and reporting | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Integrate cloud app security with a siem | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Monitor privileged role assignment | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Restrict access to privileged accounts | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Review account provisioning logs | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Review administrator assignments weekly | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Review audit data | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Review cloud identity report overview | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Review controlled folder access events | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Review file and folder activity | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Review role group changes weekly | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Revoke privileged roles as appropriate | 1.1.0 |
| 12 Audit Logging & Monitoring | 1270.09ad1System.12-09.ad | 1270.09ad1System.12-09.ad 09.10 Monitoring | Use privileged identity management | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad1System.1-09.ad | 1271.09ad1System.1-09.ad 09.10 Monitoring | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| 12 Audit Logging & Monitoring | 1271.09ad1System.1-09.ad | 1271.09ad1System.1-09.ad 09.10 Monitoring | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad1System.1-09.ad | 1271.09ad1System.1-09.ad 09.10 Monitoring | Design an access control model | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad1System.1-09.ad | 1271.09ad1System.1-09.ad 09.10 Monitoring | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad1System.1-09.ad | 1271.09ad1System.1-09.ad 09.10 Monitoring | Employ least privilege access | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad1System.1-09.ad | 1271.09ad1System.1-09.ad 09.10 Monitoring | Protect audit information | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad1System.1-09.ad | 1271.09ad1System.1-09.ad 09.10 Monitoring | Require approval for account creation | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad1System.1-09.ad | 1271.09ad1System.1-09.ad 09.10 Monitoring | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad2System.1 | 1271.09ad2System.1 09.10 Monitoring | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad2System.1 | 1271.09ad2System.1 09.10 Monitoring | Design an access control model | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad2System.1 | 1271.09ad2System.1 09.10 Monitoring | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad2System.1 | 1271.09ad2System.1 09.10 Monitoring | Employ least privilege access | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad2System.1 | 1271.09ad2System.1 09.10 Monitoring | Protect audit information | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad2System.1 | 1271.09ad2System.1 09.10 Monitoring | Require approval for account creation | 1.1.0 |
| 12 Audit Logging & Monitoring | 1271.09ad2System.1 | 1271.09ad2System.1 09.10 Monitoring | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Audit privileged functions | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Authorize access to security functions and information | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Authorize and manage access | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Design an access control model | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Employ least privilege access | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Enforce software execution privileges | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Monitor privileged role assignment | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Protect audit information | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Reassign or remove user privileges as needed | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Require approval for account creation | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Review user privileges | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Revoke privileged roles as appropriate | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1276.09c2Organizational.2-09.c | 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures | Use privileged identity management | 1.1.0 |
| 12 Audit Logging & Monitoring | 1277.09c2Organizational.4-09.c | 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1277.09c2Organizational.4-09.c | 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1277.09c2Organizational.4-09.c | 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1278.09c2Organizational.56-09.c | 1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1278.09c2Organizational.56-09.c | 1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1278.09c2Organizational.56-09.c | 1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 12 Audit Logging & Monitoring | 1279.09c3Organizational.4-09.c | 1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures | Define access authorizations to support separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1279.09c3Organizational.4-09.c | 1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures | Document separation of duties | 1.1.0 |
| 12 Audit Logging & Monitoring | 1279.09c3Organizational.4-09.c | 1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures | Separate duties of individuals | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Develop acceptable use policies and procedures | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Develop organization code of conduct policy | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Document personnel acceptance of privacy requirements | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Enforce rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Prohibit unfair practices | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide periodic role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide role-based practical exercises | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide role-based training on suspicious activities | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide security awareness training for insider threats | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide security training before providing access | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Provide updated security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Review and sign revised rules of behavior | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Update rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1301.02e1Organizational.12-02.e | 1301.02e1Organizational.12-02.e 02.03 During Employment | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Develop acceptable use policies and procedures | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Develop organization code of conduct policy | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Document personnel acceptance of privacy requirements | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Document security and privacy training activities | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Enforce rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Implement a threat awareness program | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Implement an insider threat program | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Monitor security and privacy training completion | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Prohibit unfair practices | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Provide privacy training | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Provide security awareness training for insider threats | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Provide updated security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Retain training records | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Review and sign revised rules of behavior | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Update information security policies | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Update rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1302.02e2Organizational.134-02.e | 1302.02e2Organizational.134-02.e 02.03 During Employment | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 13 Education, Training and Awareness | 1303.02e2Organizational.2-02.e | 1303.02e2Organizational.2-02.e 02.03 During Employment | Develop acceptable use policies and procedures | 1.1.0 |
| 13 Education, Training and Awareness | 1303.02e2Organizational.2-02.e | 1303.02e2Organizational.2-02.e 02.03 During Employment | Develop organization code of conduct policy | 1.1.0 |
| 13 Education, Training and Awareness | 1303.02e2Organizational.2-02.e | 1303.02e2Organizational.2-02.e 02.03 During Employment | Document personnel acceptance of privacy requirements | 1.1.0 |
| 13 Education, Training and Awareness | 1303.02e2Organizational.2-02.e | 1303.02e2Organizational.2-02.e 02.03 During Employment | Enforce rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1303.02e2Organizational.2-02.e | 1303.02e2Organizational.2-02.e 02.03 During Employment | Prohibit unfair practices | 1.1.0 |
| 13 Education, Training and Awareness | 1303.02e2Organizational.2-02.e | 1303.02e2Organizational.2-02.e 02.03 During Employment | Review and sign revised rules of behavior | 1.1.0 |
| 13 Education, Training and Awareness | 1303.02e2Organizational.2-02.e | 1303.02e2Organizational.2-02.e 02.03 During Employment | Update rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1303.02e2Organizational.2-02.e | 1303.02e2Organizational.2-02.e 02.03 During Employment | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Provide contingency training | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Provide information spillage training | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Provide periodic role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Provide privacy training | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Provide role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Provide security training before providing access | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Require developers to provide training | 1.1.0 |
| 13 Education, Training and Awareness | 1304.02e3Organizational.1-02.e | 1304.02e3Organizational.1-02.e 02.03 During Employment | Train personnel on disclosure of nonpublic information | 1.1.0 |
| 13 Education, Training and Awareness | 1305.02e3Organizational.23-02.e | 1305.02e3Organizational.23-02.e 02.03 During Employment | Document security and privacy training activities | 1.1.0 |
| 13 Education, Training and Awareness | 1305.02e3Organizational.23-02.e | 1305.02e3Organizational.23-02.e 02.03 During Employment | Monitor security and privacy training completion | 1.1.0 |
| 13 Education, Training and Awareness | 1305.02e3Organizational.23-02.e | 1305.02e3Organizational.23-02.e 02.03 During Employment | Retain training records | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Develop acceptable use policies and procedures | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Develop organization code of conduct policy | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Document personnel acceptance of privacy requirements | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Enforce rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Implement formal sanctions process | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Notify personnel upon sanctions | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Prohibit unfair practices | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Review and sign revised rules of behavior | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Update information security policies | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Update rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1306.06e1Organizational.5-06.e | 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Develop acceptable use policies and procedures | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Develop organization code of conduct policy | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Document personnel acceptance of privacy requirements | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Enforce rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Prohibit unfair practices | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Review and sign revised rules of behavior | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Update information security policies | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Update rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1307.07c1Organizational.124-07.c | 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Develop acceptable use policies and procedures | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Develop organization code of conduct policy | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Document personnel acceptance of privacy requirements | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Enforce rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Prohibit unfair practices | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Provide updated security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Review and sign revised rules of behavior | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Review threat protection status weekly | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Update rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1308.09j1Organizational.5-09.j | 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 13 Education, Training and Awareness | 1309.01x1System.36-01.x | 1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking | Provide periodic role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1309.01x1System.36-01.x | 1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1309.01x1System.36-01.x | 1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking | Provide role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1309.01x1System.36-01.x | 1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking | Provide security training before providing access | 1.1.0 |
| 13 Education, Training and Awareness | 1309.01x1System.36-01.x | 1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1309.01x1System.36-01.x | 1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking | Provide updated security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide periodic role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide privacy training | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide role-based practical exercises | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide role-based training on suspicious activities | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide security awareness training for insider threats | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide security training before providing access | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1310.01y1Organizational.9-01.y | 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking | Provide updated security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1311.12c2Organizational.3-12.c | 1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management | Incorporate simulated contingency training | 1.1.0 |
| 13 Education, Training and Awareness | 1311.12c2Organizational.3-12.c | 1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management | Provide contingency training | 1.1.0 |
| 13 Education, Training and Awareness | 1311.12c2Organizational.3-12.c | 1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management | Provide information spillage training | 1.1.0 |
| 13 Education, Training and Awareness | 1313.02e1Organizational.3-02.e | 1313.02e1Organizational.3-02.e 02.03 During Employment | Provide contingency training | 1.1.0 |
| 13 Education, Training and Awareness | 1313.02e1Organizational.3-02.e | 1313.02e1Organizational.3-02.e 02.03 During Employment | Provide information spillage training | 1.1.0 |
| 13 Education, Training and Awareness | 1313.02e1Organizational.3-02.e | 1313.02e1Organizational.3-02.e 02.03 During Employment | Provide periodic role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1314.02e2Organizational.5-02.e | 1314.02e2Organizational.5-02.e 02.03 During Employment | Document security and privacy training activities | 1.1.0 |
| 13 Education, Training and Awareness | 1314.02e2Organizational.5-02.e | 1314.02e2Organizational.5-02.e 02.03 During Employment | Establish a risk management strategy | 1.1.0 |
| 13 Education, Training and Awareness | 1314.02e2Organizational.5-02.e | 1314.02e2Organizational.5-02.e 02.03 During Employment | Perform a risk assessment | 1.1.0 |
| 13 Education, Training and Awareness | 1314.02e2Organizational.5-02.e | 1314.02e2Organizational.5-02.e 02.03 During Employment | Provide privacy training | 1.1.0 |
| 13 Education, Training and Awareness | 1315.02e2Organizational.67-02.e | 1315.02e2Organizational.67-02.e 02.03 During Employment | Provide periodic role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1315.02e2Organizational.67-02.e | 1315.02e2Organizational.67-02.e 02.03 During Employment | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1315.02e2Organizational.67-02.e | 1315.02e2Organizational.67-02.e 02.03 During Employment | Provide privacy training | 1.1.0 |
| 13 Education, Training and Awareness | 1315.02e2Organizational.67-02.e | 1315.02e2Organizational.67-02.e 02.03 During Employment | Provide role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1315.02e2Organizational.67-02.e | 1315.02e2Organizational.67-02.e 02.03 During Employment | Provide security training before providing access | 1.1.0 |
| 13 Education, Training and Awareness | 1315.02e2Organizational.67-02.e | 1315.02e2Organizational.67-02.e 02.03 During Employment | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1324.07c1Organizational.3-07.c | 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets | Develop organization code of conduct policy | 1.1.0 |
| 13 Education, Training and Awareness | 1324.07c1Organizational.3-07.c | 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets | Document personnel acceptance of privacy requirements | 1.1.0 |
| 13 Education, Training and Awareness | 1324.07c1Organizational.3-07.c | 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets | Document security and privacy training activities | 1.1.0 |
| 13 Education, Training and Awareness | 1324.07c1Organizational.3-07.c | 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets | Prohibit unfair practices | 1.1.0 |
| 13 Education, Training and Awareness | 1324.07c1Organizational.3-07.c | 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets | Provide periodic role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1324.07c1Organizational.3-07.c | 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets | Review and sign revised rules of behavior | 1.1.0 |
| 13 Education, Training and Awareness | 1324.07c1Organizational.3-07.c | 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets | Update rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1324.07c1Organizational.3-07.c | 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Develop organization code of conduct policy | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Document personnel acceptance of privacy requirements | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Prohibit unfair practices | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Provide privacy training | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Provide updated security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Review and sign revised rules of behavior | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Update rules of behavior and access agreements | 1.1.0 |
| 13 Education, Training and Awareness | 1325.09s1Organizational.3-09.s | 1325.09s1Organizational.3-09.s 09.08 Exchange of Information | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| 13 Education, Training and Awareness | 1327.02e2Organizational.8-02.e | 1327.02e2Organizational.8-02.e 02.03 During Employment | Document security and privacy training activities | 1.1.0 |
| 13 Education, Training and Awareness | 1327.02e2Organizational.8-02.e | 1327.02e2Organizational.8-02.e 02.03 During Employment | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1327.02e2Organizational.8-02.e | 1327.02e2Organizational.8-02.e 02.03 During Employment | Provide security awareness training for insider threats | 1.1.0 |
| 13 Education, Training and Awareness | 1327.02e2Organizational.8-02.e | 1327.02e2Organizational.8-02.e 02.03 During Employment | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1327.02e2Organizational.8-02.e | 1327.02e2Organizational.8-02.e 02.03 During Employment | Provide updated security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1331.02e3Organizational.4-02.e | 1331.02e3Organizational.4-02.e 02.03 During Employment | Conduct incident response testing | 1.1.0 |
| 13 Education, Training and Awareness | 1331.02e3Organizational.4-02.e | 1331.02e3Organizational.4-02.e 02.03 During Employment | Establish an information security program | 1.1.0 |
| 13 Education, Training and Awareness | 1331.02e3Organizational.4-02.e | 1331.02e3Organizational.4-02.e 02.03 During Employment | Incorporate simulated events into incident response training | 1.1.0 |
| 13 Education, Training and Awareness | 1331.02e3Organizational.4-02.e | 1331.02e3Organizational.4-02.e 02.03 During Employment | Install an alarm system | 1.1.0 |
| 13 Education, Training and Awareness | 1331.02e3Organizational.4-02.e | 1331.02e3Organizational.4-02.e 02.03 During Employment | Manage a secure surveillance camera system | 1.1.0 |
| 13 Education, Training and Awareness | 1331.02e3Organizational.4-02.e | 1331.02e3Organizational.4-02.e 02.03 During Employment | Run simulation attacks | 1.1.0 |
| 13 Education, Training and Awareness | 1334.02e2Organizational.12-02.e | 1334.02e2Organizational.12-02.e 02.03 During Employment | Document security and privacy training activities | 1.1.0 |
| 13 Education, Training and Awareness | 1334.02e2Organizational.12-02.e | 1334.02e2Organizational.12-02.e 02.03 During Employment | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1334.02e2Organizational.12-02.e | 1334.02e2Organizational.12-02.e 02.03 During Employment | Provide security training for new users | 1.1.0 |
| 13 Education, Training and Awareness | 1334.02e2Organizational.12-02.e | 1334.02e2Organizational.12-02.e 02.03 During Employment | Provide updated security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1336.02e1Organizational.5-02.e | 1336.02e1Organizational.5-02.e 02.03 During Employment | Provide periodic role-based security training | 1.1.0 |
| 13 Education, Training and Awareness | 1336.02e1Organizational.5-02.e | 1336.02e1Organizational.5-02.e 02.03 During Employment | Provide periodic security awareness training | 1.1.0 |
| 13 Education, Training and Awareness | 1336.02e1Organizational.5-02.e | 1336.02e1Organizational.5-02.e 02.03 During Employment | Provide role-based practical exercises | 1.1.0 |
| 13 Education, Training and Awareness | 1336.02e1Organizational.5-02.e | 1336.02e1Organizational.5-02.e 02.03 During Employment | Provide role-based training on suspicious activities | 1.1.0 |
| 13 Education, Training and Awareness | 1336.02e1Organizational.5-02.e | 1336.02e1Organizational.5-02.e 02.03 During Employment | Provide security awareness training for insider threats | 1.1.0 |
| 13 Education, Training and Awareness | 1336.02e1Organizational.5-02.e | 1336.02e1Organizational.5-02.e 02.03 During Employment | Provide security training before providing access | 1.1.0 |
| 13 Education, Training and Awareness | 1336.02e1Organizational.5-02.e | 1336.02e1Organizational.5-02.e 02.03 During Employment | Provide updated security awareness training | 1.1.0 |
| 14 Third Party Assurance | 1404.05i2Organizational.1-05.i | 1404.05i2Organizational.1-05.i 05.02 External Parties | Review and update system and services acquisition policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document security strength requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1406.05k1Organizational.110-05.k | 1406.05k1Organizational.110-05.k 05.02 External Parties | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1407.05k2Organizational.1-05.k | 1407.05k2Organizational.1-05.k 05.02 External Parties | Document third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1407.05k2Organizational.1-05.k | 1407.05k2Organizational.1-05.k 05.02 External Parties | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1407.05k2Organizational.1-05.k | 1407.05k2Organizational.1-05.k 05.02 External Parties | Monitor third-party provider compliance | 1.1.0 |
| 14 Third Party Assurance | 1407.05k2Organizational.1-05.k | 1407.05k2Organizational.1-05.k 05.02 External Parties | Require notification of third-party personnel transfer or termination | 1.1.0 |
| 14 Third Party Assurance | 1407.05k2Organizational.1-05.k | 1407.05k2Organizational.1-05.k 05.02 External Parties | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1408.09e1System.1-09.e | 1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery | Define and document government oversight | 1.1.0 |
| 14 Third Party Assurance | 1408.09e1System.1-09.e | 1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1408.09e1System.1-09.e | 1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery | Require interconnection security agreements | 1.1.0 |
| 14 Third Party Assurance | 1408.09e1System.1-09.e | 1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1408.09e1System.1-09.e | 1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1408.09e1System.1-09.e | 1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery | Update interconnection security agreements | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document security strength requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Document third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Monitor third-party provider compliance | 1.1.0 |
| 14 Third Party Assurance | 1409.09e2System.1-09.e | 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document security strength requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1410.09e2System.23-09.e | 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Authorize, monitor, and control voip | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Detect network services that have not been authorized or approved | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Disseminate security alerts to personnel | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Document wireless access security controls | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Establish a threat intelligence program | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Route traffic through managed network access points | 1.1.0 |
| 14 Third Party Assurance | 1411.09f1System.1-09.f | 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document security strength requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1416.10l1Organizational.1-10.l | 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document security strength requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1417.10l2Organizational.1-10.l | 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document security strength requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1419.05j1Organizational.12-05.j | 1419.05j1Organizational.12-05.j 05.02 External Parties | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1421.05j2Organizational.12-05.j | 1421.05j2Organizational.12-05.j 05.02 External Parties | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1422.05j2Organizational.3-05.j | 1422.05j2Organizational.3-05.j 05.02 External Parties | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| 14 Third Party Assurance | 1422.05j2Organizational.3-05.j | 1422.05j2Organizational.3-05.j 05.02 External Parties | Identify external service providers | 1.1.0 |
| 14 Third Party Assurance | 1422.05j2Organizational.3-05.j | 1422.05j2Organizational.3-05.j 05.02 External Parties | Obtain approvals for acquisitions and outsourcing | 1.1.0 |
| 14 Third Party Assurance | 1422.05j2Organizational.3-05.j | 1422.05j2Organizational.3-05.j 05.02 External Parties | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1422.05j2Organizational.3-05.j | 1422.05j2Organizational.3-05.j 05.02 External Parties | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1422.05j2Organizational.3-05.j | 1422.05j2Organizational.3-05.j 05.02 External Parties | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Control use of portable storage devices | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Employ boundary protection to isolate information systems | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Establish terms and conditions for accessing resources | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Establish terms and conditions for processing resources | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1423.05j2Organizational.4-05.j | 1423.05j2Organizational.4-05.j 05.02 External Parties | Verify security controls for external information systems | 1.1.0 |
| 14 Third Party Assurance | 1424.05j2Organizational.5-05.j | 1424.05j2Organizational.5-05.j 05.02 External Parties | Accept only FICAM-approved third-party credentials | 1.1.0 |
| 14 Third Party Assurance | 1424.05j2Organizational.5-05.j | 1424.05j2Organizational.5-05.j 05.02 External Parties | Accept PIV credentials | 1.1.0 |
| 14 Third Party Assurance | 1424.05j2Organizational.5-05.j | 1424.05j2Organizational.5-05.j 05.02 External Parties | Conform to FICAM-issued profiles | 1.1.0 |
| 14 Third Party Assurance | 1424.05j2Organizational.5-05.j | 1424.05j2Organizational.5-05.j 05.02 External Parties | Employ FICAM-approved resources to accept third-party credentials | 1.1.0 |
| 14 Third Party Assurance | 1424.05j2Organizational.5-05.j | 1424.05j2Organizational.5-05.j 05.02 External Parties | Enforce user uniqueness | 1.1.0 |
| 14 Third Party Assurance | 1424.05j2Organizational.5-05.j | 1424.05j2Organizational.5-05.j 05.02 External Parties | Identify and authenticate non-organizational users | 1.1.0 |
| 14 Third Party Assurance | 1424.05j2Organizational.5-05.j | 1424.05j2Organizational.5-05.j 05.02 External Parties | Support personal verification credentials issued by legal authorities | 1.1.0 |
| 14 Third Party Assurance | 1424.05j2Organizational.5-05.j | 1424.05j2Organizational.5-05.j 05.02 External Parties | Verify identity before distributing authenticators | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Document third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Monitor third-party provider compliance | 1.1.0 |
| 14 Third Party Assurance | 1429.05k1Organizational.34-05.k | 1429.05k1Organizational.34-05.k 05.02 External Parties | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Document third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1430.05k1Organizational.56-05.k | 1430.05k1Organizational.56-05.k 05.02 External Parties | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1431.05k1Organizational.7-05.k | 1431.05k1Organizational.7-05.k 05.02 External Parties | Document third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1431.05k1Organizational.7-05.k | 1431.05k1Organizational.7-05.k 05.02 External Parties | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1431.05k1Organizational.7-05.k | 1431.05k1Organizational.7-05.k 05.02 External Parties | Monitor third-party provider compliance | 1.1.0 |
| 14 Third Party Assurance | 1431.05k1Organizational.7-05.k | 1431.05k1Organizational.7-05.k 05.02 External Parties | Require notification of third-party personnel transfer or termination | 1.1.0 |
| 14 Third Party Assurance | 1431.05k1Organizational.7-05.k | 1431.05k1Organizational.7-05.k 05.02 External Parties | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1432.05k1Organizational.89-05.k | 1432.05k1Organizational.89-05.k 05.02 External Parties | Clear personnel with access to classified information | 1.1.0 |
| 14 Third Party Assurance | 1432.05k1Organizational.89-05.k | 1432.05k1Organizational.89-05.k 05.02 External Parties | Document third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1432.05k1Organizational.89-05.k | 1432.05k1Organizational.89-05.k 05.02 External Parties | Establish privacy requirements for contractors and service providers | 1.1.0 |
| 14 Third Party Assurance | 1432.05k1Organizational.89-05.k | 1432.05k1Organizational.89-05.k 05.02 External Parties | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1432.05k1Organizational.89-05.k | 1432.05k1Organizational.89-05.k 05.02 External Parties | Implement personnel screening | 1.1.0 |
| 14 Third Party Assurance | 1432.05k1Organizational.89-05.k | 1432.05k1Organizational.89-05.k 05.02 External Parties | Monitor third-party provider compliance | 1.1.0 |
| 14 Third Party Assurance | 1432.05k1Organizational.89-05.k | 1432.05k1Organizational.89-05.k 05.02 External Parties | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document acquisition contract acceptance criteria | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document protection of personal data in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document protection of security information in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document requirements for the use of shared data in contracts | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document security documentation requirements in acquisition contract | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document security functional requirements in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document the information system environment in acquisition contracts | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1438.09e2System.4-09.e | 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Assess risk in third party relationships | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Define and document government oversight | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Define requirements for supplying goods and services | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Establish policies for supply chain risk management | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Identify incident response personnel | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1450.05i2Organizational.2-05.i | 1450.05i2Organizational.2-05.i 05.02 External Parties | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Assess risk in third party relationships | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Audit privileged functions | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Authorize access to security functions and information | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Authorize and manage access | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Define access authorizations to support separation of duties | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Define and document government oversight | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Define requirements for supplying goods and services | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Document separation of duties | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Enforce software execution privileges | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Establish policies for supply chain risk management | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Monitor privileged role assignment | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Revoke privileged roles as appropriate | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Separate duties of individuals | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1451.05iCSPOrganizational.2-05.i | 1451.05iCSPOrganizational.2-05.i 05.02 External Parties | Use privileged identity management | 1.1.0 |
| 14 Third Party Assurance | 1452.05kCSPOrganizational.1-05.k | 1452.05kCSPOrganizational.1-05.k 05.02 External Parties | Document third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1452.05kCSPOrganizational.1-05.k | 1452.05kCSPOrganizational.1-05.k 05.02 External Parties | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1452.05kCSPOrganizational.1-05.k | 1452.05kCSPOrganizational.1-05.k 05.02 External Parties | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Assess risk in third party relationships | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Define requirements for supplying goods and services | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Determine supplier contract obligations | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Establish an information security program | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Establish policies for supply chain risk management | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1453.05kCSPOrganizational.2-05.k | 1453.05kCSPOrganizational.2-05.k 05.02 External Parties | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1454.05kCSPOrganizational.3-05.k | 1454.05kCSPOrganizational.3-05.k 05.02 External Parties | Assess risk in third party relationships | 1.1.0 |
| 14 Third Party Assurance | 1454.05kCSPOrganizational.3-05.k | 1454.05kCSPOrganizational.3-05.k 05.02 External Parties | Define and document government oversight | 1.1.0 |
| 14 Third Party Assurance | 1454.05kCSPOrganizational.3-05.k | 1454.05kCSPOrganizational.3-05.k 05.02 External Parties | Define requirements for supplying goods and services | 1.1.0 |
| 14 Third Party Assurance | 1454.05kCSPOrganizational.3-05.k | 1454.05kCSPOrganizational.3-05.k 05.02 External Parties | Establish policies for supply chain risk management | 1.1.0 |
| 14 Third Party Assurance | 1454.05kCSPOrganizational.3-05.k | 1454.05kCSPOrganizational.3-05.k 05.02 External Parties | Identify external service providers | 1.1.0 |
| 14 Third Party Assurance | 1454.05kCSPOrganizational.3-05.k | 1454.05kCSPOrganizational.3-05.k 05.02 External Parties | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1454.05kCSPOrganizational.3-05.k | 1454.05kCSPOrganizational.3-05.k 05.02 External Parties | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1454.05kCSPOrganizational.3-05.k | 1454.05kCSPOrganizational.3-05.k 05.02 External Parties | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Define and document government oversight | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Document third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Establish third-party personnel security requirements | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Monitor third-party provider compliance | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Require external service providers to comply with security requirements | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Require notification of third-party personnel transfer or termination | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 14 Third Party Assurance | 1455.05kCSPOrganizational.4-05.k | 1455.05kCSPOrganizational.4-05.k 05.02 External Parties | Undergo independent security review | 1.1.0 |
| 14 Third Party Assurance | 1464.09e2Organizational.5-09.e | 1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery | Create separate alternate and primary storage sites | 1.1.0 |
| 14 Third Party Assurance | 1464.09e2Organizational.5-09.e | 1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| 14 Third Party Assurance | 1464.09e2Organizational.5-09.e | 1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery | Establish an alternate processing site | 1.1.0 |
| 14 Third Party Assurance | 1464.09e2Organizational.5-09.e | 1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| 14 Third Party Assurance | 1464.09e2Organizational.5-09.e | 1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery | Recover and reconstitute resources after any disruption | 1.1.1 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Assess information security events | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Enable network protection | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Implement formal sanctions process | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | Notify personnel upon sanctions | 1.1.0 |
| 15 Incident Management | 1501.02f1Organizational.123-02.f | 1501.02f1Organizational.123-02.f 02.03 During Employment | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Document security operations | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Enable network protection | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Implement formal sanctions process | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Implement Incident handling capability | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | Notify personnel upon sanctions | 1.1.0 |
| 15 Incident Management | 1503.02f2Organizational.12-02.f | 1503.02f2Organizational.12-02.f 02.03 During Employment | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Authorize access to security functions and information | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Authorize and manage access | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Create a data inventory | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Document security operations | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Enable detection of network devices | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Enable network protection | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Enforce logical access | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Establish relationship between incident response capability and external providers | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Implement formal sanctions process | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Maintain records of processing of personal data | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Notify personnel upon sanctions | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Require approval for account creation | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Review user groups and applications with access to sensitive data | 1.1.0 |
| 15 Incident Management | 1504.06e1Organizational.34-06.e | 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Assess information security events | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Document security operations | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Enable network protection | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Establish an information security program | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Establish relationship between incident response capability and external providers | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Identify classes of Incidents and Actions taken | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Identify incident response personnel | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Maintain data breach records | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Protect incident response plan | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Provide information spillage training | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1505.11a1Organizational.13-11.a | 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Coordinate contingency plans with related plans | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Document security operations | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Enable network protection | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Establish a privacy program | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Manage contacts for authorities and special interest groups | 1.1.0 |
| 15 Incident Management | 1506.11a1Organizational.2-11.a | 1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1507.11a1Organizational.4-11.a | 1507.11a1Organizational.4-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement an insider threat program | 1.1.0 |
| 15 Incident Management | 1507.11a1Organizational.4-11.a | 1507.11a1Organizational.4-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement Incident handling capability | 1.1.0 |
| 15 Incident Management | 1507.11a1Organizational.4-11.a | 1507.11a1Organizational.4-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Provide security awareness training for insider threats | 1.1.0 |
| 15 Incident Management | 1508.11a2Organizational.1-11.a | 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1508.11a2Organizational.1-11.a | 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Document security operations | 1.1.0 |
| 15 Incident Management | 1508.11a2Organizational.1-11.a | 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Enable network protection | 1.1.0 |
| 15 Incident Management | 1508.11a2Organizational.1-11.a | 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1508.11a2Organizational.1-11.a | 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1508.11a2Organizational.1-11.a | 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1508.11a2Organizational.1-11.a | 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Provide information spillage training | 1.1.0 |
| 15 Incident Management | 1508.11a2Organizational.1-11.a | 1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Coordinate contingency plans with related plans | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Document security operations | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Enable network protection | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Establish an information security program | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Identify classes of Incidents and Actions taken | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Maintain data breach records | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Protect incident response plan | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Provide information spillage training | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1509.11a2Organizational.236-11.a | 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Assess information security events | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Document security operations | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Establish an information security program | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Maintain data breach records | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Protect incident response plan | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Provide information spillage training | 1.1.0 |
| 15 Incident Management | 1510.11a2Organizational.47-11.a | 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Assess information security events | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Coordinate contingency plans with related plans | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Document security operations | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Enable network protection | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Incorporate simulated events into incident response training | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Provide information spillage training | 1.1.0 |
| 15 Incident Management | 1511.11a2Organizational.5-11.a | 1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Alert personnel of information spillage | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Correlate audit records | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Document security operations | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Document wireless access security controls | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Establish requirements for audit review and reporting | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Integrate audit review, analysis, and reporting | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Integrate cloud app security with a siem | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Review account provisioning logs | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Review administrator assignments weekly | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Review audit data | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Review cloud identity report overview | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Review controlled folder access events | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Review file and folder activity | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Review role group changes weekly | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 15 Incident Management | 1512.11a2Organizational.8-11.a | 1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Turn on sensors for endpoint security solution | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Assess information security events | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Coordinate contingency plans with related plans | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop an incident response plan | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Enable network protection | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Identify classes of Incidents and Actions taken | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1515.11a3Organizational.3-11.a | 1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Assess information security events | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Document security operations | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Establish an information security program | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain data breach records | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Protect incident response plan | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Provide information spillage training | 1.1.0 |
| 15 Incident Management | 1516.11c1Organizational.12-11.c | 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1517.11c1Organizational.3-11.c | 1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements | Assess information security events | 1.1.0 |
| 15 Incident Management | 1517.11c1Organizational.3-11.c | 1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements | Document security operations | 1.1.0 |
| 15 Incident Management | 1517.11c1Organizational.3-11.c | 1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1517.11c1Organizational.3-11.c | 1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain data breach records | 1.1.0 |
| 15 Incident Management | 1517.11c1Organizational.3-11.c | 1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1517.11c1Organizational.3-11.c | 1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements | Protect incident response plan | 1.1.0 |
| 15 Incident Management | 1518.11c2Organizational.13-11.c | 1518.11c2Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements | Review and update incident response policies and procedures | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Correlate audit records | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Document security operations | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Establish requirements for audit review and reporting | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Integrate Audit record analysis | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Integrate audit review, analysis, and reporting | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Integrate cloud app security with a siem | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Provide capability to process customer-controlled audit records | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Review account provisioning logs | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Review administrator assignments weekly | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Review audit data | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Review cloud identity report overview | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Review controlled folder access events | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Review file and folder activity | 1.1.0 |
| 15 Incident Management | 1519.11c2Organizational.2-11.c | 1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements | Review role group changes weekly | 1.1.0 |
| 15 Incident Management | 1520.11c2Organizational.4-11.c | 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements | Assess information security events | 1.1.0 |
| 15 Incident Management | 1520.11c2Organizational.4-11.c | 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1520.11c2Organizational.4-11.c | 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements | Establish an information security program | 1.1.0 |
| 15 Incident Management | 1520.11c2Organizational.4-11.c | 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1520.11c2Organizational.4-11.c | 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain data breach records | 1.1.0 |
| 15 Incident Management | 1520.11c2Organizational.4-11.c | 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1520.11c2Organizational.4-11.c | 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements | Protect incident response plan | 1.1.0 |
| 15 Incident Management | 1520.11c2Organizational.4-11.c | 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Assess information security events | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Coordinate contingency plans with related plans | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Enable network protection | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Establish an information security program | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Identify classes of Incidents and Actions taken | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Implement Incident handling capability | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Incorporate simulated events into incident response training | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Provide information spillage training | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1521.11c2Organizational.56-11.c | 1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1522.11c3Organizational.13-11.c | 1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements | Document security operations | 1.1.0 |
| 15 Incident Management | 1522.11c3Organizational.13-11.c | 1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements | Enable network protection | 1.1.0 |
| 15 Incident Management | 1522.11c3Organizational.13-11.c | 1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1522.11c3Organizational.13-11.c | 1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1522.11c3Organizational.13-11.c | 1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1522.11c3Organizational.13-11.c | 1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1523.11c3Organizational.24-11.c | 1523.11c3Organizational.24-11.c 11.02 Management of Information Security Incidents and Improvements | Document security operations | 1.1.0 |
| 15 Incident Management | 1523.11c3Organizational.24-11.c | 1523.11c3Organizational.24-11.c 11.02 Management of Information Security Incidents and Improvements | Establish relationship between incident response capability and external providers | 1.1.0 |
| 15 Incident Management | 1523.11c3Organizational.24-11.c | 1523.11c3Organizational.24-11.c 11.02 Management of Information Security Incidents and Improvements | Identify incident response personnel | 1.1.0 |
| 15 Incident Management | 1523.11c3Organizational.24-11.c | 1523.11c3Organizational.24-11.c 11.02 Management of Information Security Incidents and Improvements | Use automated mechanisms for security alerts | 1.1.0 |
| 15 Incident Management | 1524.11a1Organizational.5-11.a | 1524.11a1Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Coordinate with external organizations to achieve cross org perspective | 1.1.0 |
| 15 Incident Management | 1524.11a1Organizational.5-11.a | 1524.11a1Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Obtain legal opinion for monitoring system activities | 1.1.0 |
| 15 Incident Management | 1524.11a1Organizational.5-11.a | 1524.11a1Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Require external service providers to comply with security requirements | 1.1.0 |
| 15 Incident Management | 1525.11a1Organizational.6-11.a | 1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Establish information security workforce development and improvement program | 1.1.0 |
| 15 Incident Management | 1525.11a1Organizational.6-11.a | 1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement an insider threat program | 1.1.0 |
| 15 Incident Management | 1525.11a1Organizational.6-11.a | 1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement formal sanctions process | 1.1.0 |
| 15 Incident Management | 1525.11a1Organizational.6-11.a | 1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Implement Incident handling capability | 1.1.0 |
| 15 Incident Management | 1525.11a1Organizational.6-11.a | 1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Notify personnel upon sanctions | 1.1.0 |
| 15 Incident Management | 1525.11a1Organizational.6-11.a | 1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Provide security awareness training for insider threats | 1.1.0 |
| 15 Incident Management | 1560.11d1Organizational.1-11.d | 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements | Assess information security events | 1.1.0 |
| 15 Incident Management | 1560.11d1Organizational.1-11.d | 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1560.11d1Organizational.1-11.d | 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements | Establish an information security program | 1.1.0 |
| 15 Incident Management | 1560.11d1Organizational.1-11.d | 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements | Implement incident handling | 1.1.0 |
| 15 Incident Management | 1560.11d1Organizational.1-11.d | 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements | Maintain data breach records | 1.1.0 |
| 15 Incident Management | 1560.11d1Organizational.1-11.d | 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1560.11d1Organizational.1-11.d | 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements | Protect incident response plan | 1.1.0 |
| 15 Incident Management | 1560.11d1Organizational.1-11.d | 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1561.11d2Organizational.14-11.d | 1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1561.11d2Organizational.14-11.d | 1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements | Enable network protection | 1.1.0 |
| 15 Incident Management | 1561.11d2Organizational.14-11.d | 1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1561.11d2Organizational.14-11.d | 1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1561.11d2Organizational.14-11.d | 1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements | Review and update incident response policies and procedures | 1.1.0 |
| 15 Incident Management | 1561.11d2Organizational.14-11.d | 1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Address information security issues | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Coordinate contingency plans with related plans | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Develop contingency plan | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Enable network protection | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Establish an information security program | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Identify classes of Incidents and Actions taken | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1562.11d2Organizational.2-11.d | 1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1563.11d2Organizational.3-11.d | 1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements | Assess information security events | 1.1.0 |
| 15 Incident Management | 1563.11d2Organizational.3-11.d | 1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1563.11d2Organizational.3-11.d | 1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1563.11d2Organizational.3-11.d | 1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements | Run simulation attacks | 1.1.0 |
| 15 Incident Management | 1577.11aCSPOrganizational.1-11.a | 1577.11aCSPOrganizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| 15 Incident Management | 1577.11aCSPOrganizational.1-11.a | 1577.11aCSPOrganizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses | Identify incident response personnel | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | Assess information security events | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | Develop security safeguards | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | Enable network protection | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | Eradicate contaminated information | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | Execute actions in response to information spills | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain data breach records | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | Maintain incident response plan | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | Protect incident response plan | 1.1.0 |
| 15 Incident Management | 1587.11c2Organizational.10-11.c | 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements | View and investigate restricted users | 1.1.0 |
| 15 Incident Management | 1589.11c1Organizational.5-11.c | 1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements | Conduct incident response testing | 1.1.0 |
| 15 Incident Management | 1589.11c1Organizational.5-11.c | 1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements | Incorporate simulated events into incident response training | 1.1.0 |
| 15 Incident Management | 1589.11c1Organizational.5-11.c | 1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements | Provide information spillage training | 1.1.0 |
| 15 Incident Management | 1589.11c1Organizational.5-11.c | 1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements | Run simulation attacks | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1601.12c1Organizational.1238-12.c | 1601.12c1Organizational.1238-12.c 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1601.12c1Organizational.1238-12.c | 1601.12c1Organizational.1238-12.c 12.01 Information Security Aspects of Business Continuity Management | Test the business continuity and disaster recovery plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1601.12c1Organizational.1238-12.c | 1601.12c1Organizational.1238-12.c 12.01 Information Security Aspects of Business Continuity Management | Update contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1602.12c1Organizational.4567-12.c | 1602.12c1Organizational.4567-12.c 12.01 Information Security Aspects of Business Continuity Management | Conduct capacity planning | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1602.12c1Organizational.4567-12.c | 1602.12c1Organizational.4567-12.c 12.01 Information Security Aspects of Business Continuity Management | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1602.12c1Organizational.4567-12.c | 1602.12c1Organizational.4567-12.c 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1603.12c1Organizational.9-12.c | 1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management | Communicate contingency plan changes | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1603.12c1Organizational.9-12.c | 1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management | Coordinate contingency plans with related plans | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1603.12c1Organizational.9-12.c | 1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management | Develop contingency planning policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1603.12c1Organizational.9-12.c | 1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management | Distribute policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1603.12c1Organizational.9-12.c | 1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management | Review and update contingency planning policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1604.12c2Organizational.16789-12.c | 1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management | Create separate alternate and primary storage sites | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1604.12c2Organizational.16789-12.c | 1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1604.12c2Organizational.16789-12.c | 1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management | Establish alternate storage site that facilitates recovery operations | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1604.12c2Organizational.16789-12.c | 1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1604.12c2Organizational.16789-12.c | 1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management | Establish an alternate processing site | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1604.12c2Organizational.16789-12.c | 1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management | Establish requirements for internet service providers | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1607.12c2Organizational.4-12.c | 1607.12c2Organizational.4-12.c 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1607.12c2Organizational.4-12.c | 1607.12c2Organizational.4-12.c 12.01 Information Security Aspects of Business Continuity Management | Review and update contingency planning policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1608.12c2Organizational.5-12.c | 1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management | Conduct backup of information system documentation | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1608.12c2Organizational.5-12.c | 1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management | Separately store backup information | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1608.12c2Organizational.5-12.c | 1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management | Transfer backup information to an alternate storage site | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1609.12c3Organizational.12-12.c | 1609.12c3Organizational.12-12.c 12.01 Information Security Aspects of Business Continuity Management | Establish requirements for internet service providers | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1616.09l1Organizational.16-09.l | 1616.09l1Organizational.16-09.l 09.05 Information Back-Up | Conduct backup of information system documentation | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1617.09l1Organizational.23-09.l | 1617.09l1Organizational.23-09.l 09.05 Information Back-Up | Conduct backup of information system documentation | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1617.09l1Organizational.23-09.l | 1617.09l1Organizational.23-09.l 09.05 Information Back-Up | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1618.09l1Organizational.45-09.l | 1618.09l1Organizational.45-09.l 09.05 Information Back-Up | Create separate alternate and primary storage sites | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1618.09l1Organizational.45-09.l | 1618.09l1Organizational.45-09.l 09.05 Information Back-Up | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1618.09l1Organizational.45-09.l | 1618.09l1Organizational.45-09.l 09.05 Information Back-Up | Establish alternate storage site that facilitates recovery operations | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1618.09l1Organizational.45-09.l | 1618.09l1Organizational.45-09.l 09.05 Information Back-Up | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1618.09l1Organizational.45-09.l | 1618.09l1Organizational.45-09.l 09.05 Information Back-Up | Establish backup policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1618.09l1Organizational.45-09.l | 1618.09l1Organizational.45-09.l 09.05 Information Back-Up | Separately store backup information | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1619.09l1Organizational.7-09.l | 1619.09l1Organizational.7-09.l 09.05 Information Back-Up | Establish requirements for internet service providers | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1620.09l1Organizational.8-09.l | 1620.09l1Organizational.8-09.l 09.05 Information Back-Up | Conduct backup of information system documentation | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1620.09l1Organizational.8-09.l | 1620.09l1Organizational.8-09.l 09.05 Information Back-Up | Establish backup policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1620.09l1Organizational.8-09.l | 1620.09l1Organizational.8-09.l 09.05 Information Back-Up | Separately store backup information | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1620.09l1Organizational.8-09.l | 1620.09l1Organizational.8-09.l 09.05 Information Back-Up | Transfer backup information to an alternate storage site | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1621.09l2Organizational.1-09.l | 1621.09l2Organizational.1-09.l 09.05 Information Back-Up | Create a data inventory | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1621.09l2Organizational.1-09.l | 1621.09l2Organizational.1-09.l 09.05 Information Back-Up | Maintain records of processing of personal data | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1622.09l2Organizational.23-09.l | 1622.09l2Organizational.23-09.l 09.05 Information Back-Up | Establish backup policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1622.09l2Organizational.23-09.l | 1622.09l2Organizational.23-09.l 09.05 Information Back-Up | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1622.09l2Organizational.23-09.l | 1622.09l2Organizational.23-09.l 09.05 Information Back-Up | Separately store backup information | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1623.09l2Organizational.4-09.l | 1623.09l2Organizational.4-09.l 09.05 Information Back-Up | Conduct backup of information system documentation | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1623.09l2Organizational.4-09.l | 1623.09l2Organizational.4-09.l 09.05 Information Back-Up | Establish backup policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1624.09l3Organizational.12-09.l | 1624.09l3Organizational.12-09.l 09.05 Information Back-Up | Conduct backup of information system documentation | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1624.09l3Organizational.12-09.l | 1624.09l3Organizational.12-09.l 09.05 Information Back-Up | Establish backup policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1625.09l3Organizational.34-09.l | 1625.09l3Organizational.34-09.l 09.05 Information Back-Up | Conduct backup of information system documentation | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1626.09l3Organizational.5-09.l | 1626.09l3Organizational.5-09.l 09.05 Information Back-Up | Conduct backup of information system documentation | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1627.09l3Organizational.6-09.l | 1627.09l3Organizational.6-09.l 09.05 Information Back-Up | Separately store backup information | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1634.12b1Organizational.1-12.b | 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Audit virtual machines without disaster recovery configured | 1.0.0 |
| 16 Business Continuity & Disaster Recovery | 1634.12b1Organizational.1-12.b | 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Coordinate contingency plans with related plans | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1634.12b1Organizational.1-12.b | 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1634.12b1Organizational.1-12.b | 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Develop contingency planning policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1634.12b1Organizational.1-12.b | 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Distribute policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1635.12b1Organizational.2-12.b | 1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1635.12b1Organizational.2-12.b | 1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Perform a business impact assessment and application criticality assessment | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1635.12b1Organizational.2-12.b | 1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Perform a risk assessment | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1635.12b1Organizational.2-12.b | 1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Plan for resumption of essential business functions | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1636.12b2Organizational.1-12.b | 1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Coordinate contingency plans with related plans | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1636.12b2Organizational.1-12.b | 1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1636.12b2Organizational.1-12.b | 1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management | Perform a business impact assessment and application criticality assessment | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Conduct Risk Assessment | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Conduct risk assessment and distribute its results | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Conduct risk assessment and document its results | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Perform a risk assessment | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Plan for resumption of essential business functions | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Update contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1638.12b2Organizational.345-12.b | 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management | Audit virtual machines without disaster recovery configured | 1.0.0 |
| 16 Business Continuity & Disaster Recovery | 1638.12b2Organizational.345-12.b | 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management | Conduct capacity planning | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1638.12b2Organizational.345-12.b | 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1638.12b2Organizational.345-12.b | 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management | Perform a risk assessment | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1638.12b2Organizational.345-12.b | 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management | Plan for resumption of essential business functions | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1666.12d1Organizational.1235-12.d | 1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management | Communicate contingency plan changes | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1666.12d1Organizational.1235-12.d | 1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management | Coordinate contingency plans with related plans | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1666.12d1Organizational.1235-12.d | 1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1666.12d1Organizational.1235-12.d | 1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management | Plan for resumption of essential business functions | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1667.12d1Organizational.4-12.d | 1667.12d1Organizational.4-12.d 12.01 Information Security Aspects of Business Continuity Management | Communicate contingency plan changes | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1667.12d1Organizational.4-12.d | 1667.12d1Organizational.4-12.d 12.01 Information Security Aspects of Business Continuity Management | Coordinate contingency plans with related plans | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1667.12d1Organizational.4-12.d | 1667.12d1Organizational.4-12.d 12.01 Information Security Aspects of Business Continuity Management | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1667.12d1Organizational.4-12.d | 1667.12d1Organizational.4-12.d 12.01 Information Security Aspects of Business Continuity Management | Update contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1668.12d1Organizational.67-12.d | 1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1668.12d1Organizational.67-12.d | 1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1668.12d1Organizational.67-12.d | 1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management | Establish an alternate processing site | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1668.12d1Organizational.67-12.d | 1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management | Review and update contingency planning policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1669.12d1Organizational.8-12.d | 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1669.12d1Organizational.8-12.d | 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management | Perform a business impact assessment and application criticality assessment | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1669.12d1Organizational.8-12.d | 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management | Plan for resumption of essential business functions | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1669.12d1Organizational.8-12.d | 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management | Provide contingency training | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1669.12d1Organizational.8-12.d | 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management | Test the business continuity and disaster recovery plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1669.12d1Organizational.8-12.d | 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management | Update contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1670.12d2Organizational.1-12.d | 1670.12d2Organizational.1-12.d 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1671.12d2Organizational.2-12.d | 1671.12d2Organizational.2-12.d 12.01 Information Security Aspects of Business Continuity Management | Communicate contingency plan changes | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1671.12d2Organizational.2-12.d | 1671.12d2Organizational.2-12.d 12.01 Information Security Aspects of Business Continuity Management | Review contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1671.12d2Organizational.2-12.d | 1671.12d2Organizational.2-12.d 12.01 Information Security Aspects of Business Continuity Management | Update contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1672.12d2Organizational.3-12.d | 1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management | Communicate contingency plan changes | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1672.12d2Organizational.3-12.d | 1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management | Coordinate contingency plans with related plans | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1672.12d2Organizational.3-12.d | 1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management | Develop contingency plan | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1672.12d2Organizational.3-12.d | 1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management | Review and update contingency planning policies and procedures | 1.1.0 |
| 16 Business Continuity & Disaster Recovery | 1672.12d2Organizational.3-12.d | 1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management | Update contingency plan | 1.1.0 |
| 17 Risk Management | 1704.03b1Organizational.12-03.b | 1704.03b1Organizational.12-03.b 03.01 Risk Management Program | Conduct Risk Assessment | 1.1.0 |
| 17 Risk Management | 1704.03b1Organizational.12-03.b | 1704.03b1Organizational.12-03.b 03.01 Risk Management Program | Perform a risk assessment | 1.1.0 |
| 17 Risk Management | 1705.03b2Organizational.12-03.b | 1705.03b2Organizational.12-03.b 03.01 Risk Management Program | Conduct Risk Assessment | 1.1.0 |
| 17 Risk Management | 1705.03b2Organizational.12-03.b | 1705.03b2Organizational.12-03.b 03.01 Risk Management Program | Conduct risk assessment and distribute its results | 1.1.0 |
| 17 Risk Management | 1707.03c1Organizational.12-03.c | 1707.03c1Organizational.12-03.c 03.01 Risk Management Program | Develop POA&M | 1.1.0 |
| 17 Risk Management | 1708.03c2Organizational.12-03.c | 1708.03c2Organizational.12-03.c 03.01 Risk Management Program | Develop POA&M | 1.1.0 |
| 17 Risk Management | 1708.03c2Organizational.12-03.c | 1708.03c2Organizational.12-03.c 03.01 Risk Management Program | Update POA&M items | 1.1.0 |
| 17 Risk Management | 17100.10a3Organizational.5 | 17100.10a3Organizational.5 10.01 Security Requirements of Information Systems | Document acquisition contract acceptance criteria | 1.1.0 |
| 17 Risk Management | 17100.10a3Organizational.5 | 17100.10a3Organizational.5 10.01 Security Requirements of Information Systems | Document protection of personal data in acquisition contracts | 1.1.0 |
| 17 Risk Management | 17100.10a3Organizational.5 | 17100.10a3Organizational.5 10.01 Security Requirements of Information Systems | Document protection of security information in acquisition contracts | 1.1.0 |
| 17 Risk Management | 17100.10a3Organizational.5 | 17100.10a3Organizational.5 10.01 Security Requirements of Information Systems | Document requirements for the use of shared data in contracts | 1.1.0 |
| 17 Risk Management | 17100.10a3Organizational.5 | 17100.10a3Organizational.5 10.01 Security Requirements of Information Systems | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 17 Risk Management | 17100.10a3Organizational.5 | 17100.10a3Organizational.5 10.01 Security Requirements of Information Systems | Document security documentation requirements in acquisition contract | 1.1.0 |
| 17 Risk Management | 17100.10a3Organizational.5 | 17100.10a3Organizational.5 10.01 Security Requirements of Information Systems | Document security functional requirements in acquisition contracts | 1.1.0 |
| 17 Risk Management | 17100.10a3Organizational.5 | 17100.10a3Organizational.5 10.01 Security Requirements of Information Systems | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 17 Risk Management | 17101.10a3Organizational.6-10.a | 17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems | Address coding vulnerabilities | 1.1.0 |
| 17 Risk Management | 17101.10a3Organizational.6-10.a | 17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems | Develop and document application security requirements | 1.1.0 |
| 17 Risk Management | 17101.10a3Organizational.6-10.a | 17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems | Establish a secure software development program | 1.1.0 |
| 17 Risk Management | 17101.10a3Organizational.6-10.a | 17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems | Obtain design and implementation information for the security controls | 1.1.1 |
| 17 Risk Management | 17101.10a3Organizational.6-10.a | 17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems | Obtain functional properties of security controls | 1.1.0 |
| 17 Risk Management | 17101.10a3Organizational.6-10.a | 17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems | Require developers to implement only approved changes | 1.1.0 |
| 17 Risk Management | 17101.10a3Organizational.6-10.a | 17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems | Require developers to manage change integrity | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Assess risk in third party relationships | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Document acquisition contract acceptance criteria | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Document protection of personal data in acquisition contracts | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Document protection of security information in acquisition contracts | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Document requirements for the use of shared data in contracts | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Document security documentation requirements in acquisition contract | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Document security functional requirements in acquisition contracts | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 17 Risk Management | 17120.10a3Organizational.5-10.a | 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems | Obtain approvals for acquisitions and outsourcing | 1.1.0 |
| 17 Risk Management | 17126.03c1System.6-03.c | 17126.03c1System.6-03.c 03.01 Risk Management Program | Conduct risk assessment and document its results | 1.1.0 |
| 17 Risk Management | 17126.03c1System.6-03.c | 17126.03c1System.6-03.c 03.01 Risk Management Program | Establish a risk management strategy | 1.1.0 |
| 17 Risk Management | 17126.03c1System.6-03.c | 17126.03c1System.6-03.c 03.01 Risk Management Program | Implement the risk management strategy | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Define the duties of processors | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Document the legal basis for processing personal information | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Evaluate and review PII holdings regularly | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Issue guidelines for ensuring data quality and integrity | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Perform disposition review | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Record disclosures of PII to third parties | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Train staff on PII sharing and its consequences | 1.1.0 |
| 17 Risk Management | 1713.03c1Organizational.3-03.c | 1713.03c1Organizational.3-03.c 03.01 Risk Management Program | Verify personal data is deleted at the end of processing | 1.1.0 |
| 17 Risk Management | 1733.03d1Organizational.1-03.d | 1733.03d1Organizational.1-03.d 03.01 Risk Management Program | Conduct Risk Assessment | 1.1.0 |
| 17 Risk Management | 1733.03d1Organizational.1-03.d | 1733.03d1Organizational.1-03.d 03.01 Risk Management Program | Conduct risk assessment and document its results | 1.1.0 |
| 17 Risk Management | 1733.03d1Organizational.1-03.d | 1733.03d1Organizational.1-03.d 03.01 Risk Management Program | Establish a risk management strategy | 1.1.0 |
| 17 Risk Management | 1734.03d2Organizational.1-03.d | 1734.03d2Organizational.1-03.d 03.01 Risk Management Program | Conduct a security impact analysis | 1.1.0 |
| 17 Risk Management | 1734.03d2Organizational.1-03.d | 1734.03d2Organizational.1-03.d 03.01 Risk Management Program | Develop and maintain a vulnerability management standard | 1.1.0 |
| 17 Risk Management | 1734.03d2Organizational.1-03.d | 1734.03d2Organizational.1-03.d 03.01 Risk Management Program | Establish a risk management strategy | 1.1.0 |
| 17 Risk Management | 1734.03d2Organizational.1-03.d | 1734.03d2Organizational.1-03.d 03.01 Risk Management Program | Establish and document change control processes | 1.1.0 |
| 17 Risk Management | 1734.03d2Organizational.1-03.d | 1734.03d2Organizational.1-03.d 03.01 Risk Management Program | Establish configuration management requirements for developers | 1.1.0 |
| 17 Risk Management | 1734.03d2Organizational.1-03.d | 1734.03d2Organizational.1-03.d 03.01 Risk Management Program | Integrate risk management process into SDLC | 1.1.0 |
| 17 Risk Management | 1734.03d2Organizational.1-03.d | 1734.03d2Organizational.1-03.d 03.01 Risk Management Program | Perform a privacy impact assessment | 1.1.0 |
| 17 Risk Management | 1734.03d2Organizational.1-03.d | 1734.03d2Organizational.1-03.d 03.01 Risk Management Program | Perform audit for configuration change control | 1.1.0 |
| 17 Risk Management | 1735.03d2Organizational.23-03.d | 1735.03d2Organizational.23-03.d 03.01 Risk Management Program | Conduct a security impact analysis | 1.1.0 |
| 17 Risk Management | 1735.03d2Organizational.23-03.d | 1735.03d2Organizational.23-03.d 03.01 Risk Management Program | Conduct risk assessment and distribute its results | 1.1.0 |
| 17 Risk Management | 1735.03d2Organizational.23-03.d | 1735.03d2Organizational.23-03.d 03.01 Risk Management Program | Develop and maintain a vulnerability management standard | 1.1.0 |
| 17 Risk Management | 1735.03d2Organizational.23-03.d | 1735.03d2Organizational.23-03.d 03.01 Risk Management Program | Establish a risk management strategy | 1.1.0 |
| 17 Risk Management | 1735.03d2Organizational.23-03.d | 1735.03d2Organizational.23-03.d 03.01 Risk Management Program | Establish configuration management requirements for developers | 1.1.0 |
| 17 Risk Management | 1735.03d2Organizational.23-03.d | 1735.03d2Organizational.23-03.d 03.01 Risk Management Program | Integrate risk management process into SDLC | 1.1.0 |
| 17 Risk Management | 1735.03d2Organizational.23-03.d | 1735.03d2Organizational.23-03.d 03.01 Risk Management Program | Perform a privacy impact assessment | 1.1.0 |
| 17 Risk Management | 1735.03d2Organizational.23-03.d | 1735.03d2Organizational.23-03.d 03.01 Risk Management Program | Perform audit for configuration change control | 1.1.0 |
| 17 Risk Management | 1736.03d2Organizational.4-03.d | 1736.03d2Organizational.4-03.d 03.01 Risk Management Program | Conduct risk assessment and document its results | 1.1.0 |
| 17 Risk Management | 1737.03d2Organizational.5-03.d | 1737.03d2Organizational.5-03.d 03.01 Risk Management Program | Conduct Risk Assessment | 1.1.0 |
| 17 Risk Management | 1737.03d2Organizational.5-03.d | 1737.03d2Organizational.5-03.d 03.01 Risk Management Program | Conduct risk assessment and distribute its results | 1.1.0 |
| 17 Risk Management | 1737.03d2Organizational.5-03.d | 1737.03d2Organizational.5-03.d 03.01 Risk Management Program | Conduct risk assessment and document its results | 1.1.0 |
| 17 Risk Management | 1737.03d2Organizational.5-03.d | 1737.03d2Organizational.5-03.d 03.01 Risk Management Program | Establish a risk management strategy | 1.1.0 |
| 17 Risk Management | 1780.10a1Organizational.1-10.a | 1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems | Define information security roles and responsibilities | 1.1.0 |
| 17 Risk Management | 1780.10a1Organizational.1-10.a | 1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems | Develop access control policies and procedures | 1.1.0 |
| 17 Risk Management | 1780.10a1Organizational.1-10.a | 1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems | Govern policies and procedures | 1.1.0 |
| 17 Risk Management | 1781.10a1Organizational.23-10.a | 1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems | Define information security roles and responsibilities | 1.1.0 |
| 17 Risk Management | 1781.10a1Organizational.23-10.a | 1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems | Develop a concept of operations (CONOPS) | 1.1.0 |
| 17 Risk Management | 1781.10a1Organizational.23-10.a | 1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems | Develop SSP that meets criteria | 1.1.0 |
| 17 Risk Management | 1781.10a1Organizational.23-10.a | 1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems | Integrate risk management process into SDLC | 1.1.0 |
| 17 Risk Management | 1782.10a1Organizational.4-10.a | 1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems | Develop and establish a system security plan | 1.1.0 |
| 17 Risk Management | 1782.10a1Organizational.4-10.a | 1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems | Develop information security policies and procedures | 1.1.0 |
| 17 Risk Management | 1782.10a1Organizational.4-10.a | 1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems | Develop SSP that meets criteria | 1.1.0 |
| 17 Risk Management | 1782.10a1Organizational.4-10.a | 1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems | Establish a privacy program | 1.1.0 |
| 17 Risk Management | 1782.10a1Organizational.4-10.a | 1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 17 Risk Management | 1782.10a1Organizational.4-10.a | 1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems | Implement security engineering principles of information systems | 1.1.0 |
| 17 Risk Management | 1783.10a1Organizational.56-10.a | 1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems | Document acquisition contract acceptance criteria | 1.1.0 |
| 17 Risk Management | 1783.10a1Organizational.56-10.a | 1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems | Document protection of personal data in acquisition contracts | 1.1.0 |
| 17 Risk Management | 1783.10a1Organizational.56-10.a | 1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems | Document protection of security information in acquisition contracts | 1.1.0 |
| 17 Risk Management | 1783.10a1Organizational.56-10.a | 1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems | Document requirements for the use of shared data in contracts | 1.1.0 |
| 17 Risk Management | 1783.10a1Organizational.56-10.a | 1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 17 Risk Management | 1783.10a1Organizational.56-10.a | 1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems | Document security documentation requirements in acquisition contract | 1.1.0 |
| 17 Risk Management | 1783.10a1Organizational.56-10.a | 1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems | Document security functional requirements in acquisition contracts | 1.1.0 |
| 17 Risk Management | 1783.10a1Organizational.56-10.a | 1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 17 Risk Management | 1784.10a1Organizational.7-10.a | 1784.10a1Organizational.7-10.a 10.01 Security Requirements of Information Systems | Employ FIPS 201-approved technology for PIV | 1.1.0 |
| 17 Risk Management | 1785.10a1Organizational.8-10.a | 1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems | Authorize remote access | 1.1.0 |
| 17 Risk Management | 1785.10a1Organizational.8-10.a | 1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems | Create alternative actions for identified anomalies | 1.1.0 |
| 17 Risk Management | 1785.10a1Organizational.8-10.a | 1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems | Require developers to describe accurate security functionality | 1.1.0 |
| 17 Risk Management | 1785.10a1Organizational.8-10.a | 1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems | Separate user and information system management functionality | 1.1.0 |
| 17 Risk Management | 1785.10a1Organizational.8-10.a | 1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems | Use dedicated machines for administrative tasks | 1.1.0 |
| 17 Risk Management | 1786.10a1Organizational.9-10.a | 1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems | Define information security roles and responsibilities | 1.1.0 |
| 17 Risk Management | 1786.10a1Organizational.9-10.a | 1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems | Identify external service providers | 1.1.0 |
| 17 Risk Management | 1786.10a1Organizational.9-10.a | 1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems | Identify individuals with security roles and responsibilities | 1.1.1 |
| 17 Risk Management | 1786.10a1Organizational.9-10.a | 1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems | Require developer to identify SDLC ports, protocols, and services | 1.1.0 |
| 17 Risk Management | 1787.10a2Organizational.1-10.a | 1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems | Automate privacy controls | 1.1.0 |
| 17 Risk Management | 1787.10a2Organizational.1-10.a | 1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems | Define information security roles and responsibilities | 1.1.0 |
| 17 Risk Management | 1787.10a2Organizational.1-10.a | 1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems | Establish a privacy program | 1.1.0 |
| 17 Risk Management | 1787.10a2Organizational.1-10.a | 1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems | Information security and personal data protection | 1.1.0 |
| 17 Risk Management | 1787.10a2Organizational.1-10.a | 1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems | Perform a privacy impact assessment | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Address coding vulnerabilities | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Conduct a security impact analysis | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Develop and document application security requirements | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Develop and maintain a vulnerability management standard | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Establish a secure software development program | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Perform a privacy impact assessment | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Require developers to document approved changes and potential impact | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Require developers to implement only approved changes | 1.1.0 |
| 17 Risk Management | 1788.10a2Organizational.2-10.a | 1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems | Require developers to manage change integrity | 1.1.0 |
| 17 Risk Management | 1789.10a2Organizational.3-10.a | 1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems | Define information security roles and responsibilities | 1.1.0 |
| 17 Risk Management | 1789.10a2Organizational.3-10.a | 1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems | Develop a concept of operations (CONOPS) | 1.1.0 |
| 17 Risk Management | 1789.10a2Organizational.3-10.a | 1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems | Identify individuals with security roles and responsibilities | 1.1.1 |
| 17 Risk Management | 1789.10a2Organizational.3-10.a | 1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems | Integrate risk management process into SDLC | 1.1.0 |
| 17 Risk Management | 1790.10a2Organizational.45-10.a | 1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems | Define information security roles and responsibilities | 1.1.0 |
| 17 Risk Management | 1790.10a2Organizational.45-10.a | 1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems | Develop a concept of operations (CONOPS) | 1.1.0 |
| 17 Risk Management | 1790.10a2Organizational.45-10.a | 1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems | Develop SSP that meets criteria | 1.1.0 |
| 17 Risk Management | 1790.10a2Organizational.45-10.a | 1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems | Integrate risk management process into SDLC | 1.1.0 |
| 17 Risk Management | 1790.10a2Organizational.45-10.a | 1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems | Review and update the information security architecture | 1.1.0 |
| 17 Risk Management | 1790.10a2Organizational.45-10.a | 1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems | Review development process, standards and tools | 1.1.0 |
| 17 Risk Management | 1791.10a2Organizational.6-10.a | 1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems | Automate flaw remediation | 1.1.0 |
| 17 Risk Management | 1791.10a2Organizational.6-10.a | 1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems | Enforce security configuration settings | 1.1.0 |
| 17 Risk Management | 1791.10a2Organizational.6-10.a | 1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems | Govern compliance of cloud service providers | 1.1.0 |
| 17 Risk Management | 1791.10a2Organizational.6-10.a | 1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems | Integrate risk management process into SDLC | 1.1.0 |
| 17 Risk Management | 1791.10a2Organizational.6-10.a | 1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems | View and configure system diagnostic data | 1.1.0 |
| 17 Risk Management | 1792.10a2Organizational.7814-10.a | 1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems | Define information security roles and responsibilities | 1.1.0 |
| 17 Risk Management | 1792.10a2Organizational.7814-10.a | 1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems | Identify individuals with security roles and responsibilities | 1.1.1 |
| 17 Risk Management | 1792.10a2Organizational.7814-10.a | 1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems | Implement the risk management strategy | 1.1.0 |
| 17 Risk Management | 1792.10a2Organizational.7814-10.a | 1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems | Integrate risk management process into SDLC | 1.1.0 |
| 17 Risk Management | 1793.10a2Organizational.91011-10.a | 1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems | Develop and establish a system security plan | 1.1.0 |
| 17 Risk Management | 1793.10a2Organizational.91011-10.a | 1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems | Develop information security policies and procedures | 1.1.0 |
| 17 Risk Management | 1793.10a2Organizational.91011-10.a | 1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems | Develop SSP that meets criteria | 1.1.0 |
| 17 Risk Management | 1793.10a2Organizational.91011-10.a | 1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems | Establish a privacy program | 1.1.0 |
| 17 Risk Management | 1793.10a2Organizational.91011-10.a | 1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 17 Risk Management | 1793.10a2Organizational.91011-10.a | 1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems | Implement security engineering principles of information systems | 1.1.0 |
| 17 Risk Management | 1794.10a2Organizational.12-10.a | 1794.10a2Organizational.12-10.a 10.01 Security Requirements of Information Systems | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| 17 Risk Management | 1795.10a2Organizational.13-10.a | 1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems | Address coding vulnerabilities | 1.1.0 |
| 17 Risk Management | 1795.10a2Organizational.13-10.a | 1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems | Develop and document application security requirements | 1.1.0 |
| 17 Risk Management | 1795.10a2Organizational.13-10.a | 1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems | Establish a secure software development program | 1.1.0 |
| 17 Risk Management | 1795.10a2Organizational.13-10.a | 1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems | Require developers to document approved changes and potential impact | 1.1.0 |
| 17 Risk Management | 1795.10a2Organizational.13-10.a | 1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| 17 Risk Management | 1796.10a2Organizational.15-10.a | 1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems | Accept assessment results | 1.1.0 |
| 17 Risk Management | 1796.10a2Organizational.15-10.a | 1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems | Assess Security Controls | 1.1.0 |
| 17 Risk Management | 1796.10a2Organizational.15-10.a | 1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems | Deliver security assessment results | 1.1.0 |
| 17 Risk Management | 1796.10a2Organizational.15-10.a | 1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems | Develop security assessment plan | 1.1.0 |
| 17 Risk Management | 1796.10a2Organizational.15-10.a | 1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems | Employ independent assessors to conduct security control assessments | 1.1.0 |
| 17 Risk Management | 1796.10a2Organizational.15-10.a | 1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems | Produce Security Assessment report | 1.1.0 |
| 17 Risk Management | 1797.10a3Organizational.1-10.a | 1797.10a3Organizational.1-10.a 10.01 Security Requirements of Information Systems | Develop a concept of operations (CONOPS) | 1.1.0 |
| 17 Risk Management | 1797.10a3Organizational.1-10.a | 1797.10a3Organizational.1-10.a 10.01 Security Requirements of Information Systems | Develop an enterprise architecture | 1.1.0 |
| 17 Risk Management | 1797.10a3Organizational.1-10.a | 1797.10a3Organizational.1-10.a 10.01 Security Requirements of Information Systems | Require developers to build security architecture | 1.1.0 |
| 17 Risk Management | 1797.10a3Organizational.1-10.a | 1797.10a3Organizational.1-10.a 10.01 Security Requirements of Information Systems | Require developers to describe accurate security functionality | 1.1.0 |
| 17 Risk Management | 1797.10a3Organizational.1-10.a | 1797.10a3Organizational.1-10.a 10.01 Security Requirements of Information Systems | Require developers to provide unified security protection approach | 1.1.0 |
| 17 Risk Management | 1798.10a3Organizational.2-10.a | 1798.10a3Organizational.2-10.a 10.01 Security Requirements of Information Systems | Develop a concept of operations (CONOPS) | 1.1.0 |
| 17 Risk Management | 1798.10a3Organizational.2-10.a | 1798.10a3Organizational.2-10.a 10.01 Security Requirements of Information Systems | Develop an enterprise architecture | 1.1.0 |
| 17 Risk Management | 1798.10a3Organizational.2-10.a | 1798.10a3Organizational.2-10.a 10.01 Security Requirements of Information Systems | Require developers to build security architecture | 1.1.0 |
| 17 Risk Management | 1798.10a3Organizational.2-10.a | 1798.10a3Organizational.2-10.a 10.01 Security Requirements of Information Systems | Review and update the information security architecture | 1.1.0 |
| 17 Risk Management | 1799.10a3Organizational.34-10.a | 1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems | Develop a concept of operations (CONOPS) | 1.1.0 |
| 17 Risk Management | 1799.10a3Organizational.34-10.a | 1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems | Develop an enterprise architecture | 1.1.0 |
| 17 Risk Management | 1799.10a3Organizational.34-10.a | 1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems | Require developers to build security architecture | 1.1.0 |
| 17 Risk Management | 1799.10a3Organizational.34-10.a | 1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems | Require developers to describe accurate security functionality | 1.1.0 |
| 17 Risk Management | 1799.10a3Organizational.34-10.a | 1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems | Require developers to provide unified security protection approach | 1.1.0 |
| 17 Risk Management | 1799.10a3Organizational.34-10.a | 1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems | Review and update the information security architecture | 1.1.0 |
| 18 Physical & Environmental Security | 1801.08b1Organizational.124-08.b | 1801.08b1Organizational.124-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1801.08b1Organizational.124-08.b | 1801.08b1Organizational.124-08.b 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1801.08b1Organizational.124-08.b | 1801.08b1Organizational.124-08.b 08.01 Secure Areas | Monitor third-party provider compliance | 1.1.0 |
| 18 Physical & Environmental Security | 1802.08b1Organizational.3-08.b | 1802.08b1Organizational.3-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1803.08b1Organizational.5-08.b | 1803.08b1Organizational.5-08.b 08.01 Secure Areas | Automate remote maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1803.08b1Organizational.5-08.b | 1803.08b1Organizational.5-08.b 08.01 Secure Areas | Control maintenance and repair activities | 1.1.0 |
| 18 Physical & Environmental Security | 1803.08b1Organizational.5-08.b | 1803.08b1Organizational.5-08.b 08.01 Secure Areas | Produce complete records of remote maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1804.08b2Organizational.12-08.b | 1804.08b2Organizational.12-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1804.08b2Organizational.12-08.b | 1804.08b2Organizational.12-08.b 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1805.08b2Organizational.3-08.b | 1805.08b2Organizational.3-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1806.08b2Organizational.4-08.b | 1806.08b2Organizational.4-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1807.08b2Organizational.56-08.b | 1807.08b2Organizational.56-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1808.08b2Organizational.7-08.b | 1808.08b2Organizational.7-08.b 08.01 Secure Areas | Audit user account status | 1.1.0 |
| 18 Physical & Environmental Security | 1808.08b2Organizational.7-08.b | 1808.08b2Organizational.7-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1808.08b2Organizational.7-08.b | 1808.08b2Organizational.7-08.b 08.01 Secure Areas | Define a physical key management process | 1.1.0 |
| 18 Physical & Environmental Security | 1808.08b2Organizational.7-08.b | 1808.08b2Organizational.7-08.b 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1808.08b2Organizational.7-08.b | 1808.08b2Organizational.7-08.b 08.01 Secure Areas | Review account provisioning logs | 1.1.0 |
| 18 Physical & Environmental Security | 1808.08b2Organizational.7-08.b | 1808.08b2Organizational.7-08.b 08.01 Secure Areas | Review user accounts | 1.1.0 |
| 18 Physical & Environmental Security | 1808.08b2Organizational.7-08.b | 1808.08b2Organizational.7-08.b 08.01 Secure Areas | Separate duties of individuals | 1.1.0 |
| 18 Physical & Environmental Security | 1810.08b3Organizational.2-08.b | 1810.08b3Organizational.2-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 18108.08j1Organizational.1-08.j | 18108.08j1Organizational.1-08.j 08.02 Equipment Security | Review and update media protection policies and procedures | 1.1.0 |
| 18 Physical & Environmental Security | 18108.08j1Organizational.1-08.j | 18108.08j1Organizational.1-08.j 08.02 Equipment Security | Review and update system maintenance policies and procedures | 1.1.0 |
| 18 Physical & Environmental Security | 18109.08j1Organizational.4-08.j | 18109.08j1Organizational.4-08.j 08.02 Equipment Security | Designate personnel to supervise unauthorized maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 18109.08j1Organizational.4-08.j | 18109.08j1Organizational.4-08.j 08.02 Equipment Security | Employ a media sanitization mechanism | 1.1.0 |
| 18 Physical & Environmental Security | 18109.08j1Organizational.4-08.j | 18109.08j1Organizational.4-08.j 08.02 Equipment Security | Maintain list of authorized remote maintenance personnel | 1.1.0 |
| 18 Physical & Environmental Security | 18109.08j1Organizational.4-08.j | 18109.08j1Organizational.4-08.j 08.02 Equipment Security | Manage maintenance personnel | 1.1.0 |
| 18 Physical & Environmental Security | 1811.08b3Organizational.3-08.b | 1811.08b3Organizational.3-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1811.08b3Organizational.3-08.b | 1811.08b3Organizational.3-08.b 08.01 Secure Areas | Define a physical key management process | 1.1.0 |
| 18 Physical & Environmental Security | 1811.08b3Organizational.3-08.b | 1811.08b3Organizational.3-08.b 08.01 Secure Areas | Establish and maintain an asset inventory | 1.1.0 |
| 18 Physical & Environmental Security | 1811.08b3Organizational.3-08.b | 1811.08b3Organizational.3-08.b 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 18110.08j1Organizational.5-08.j | 18110.08j1Organizational.5-08.j 08.02 Equipment Security | Control maintenance and repair activities | 1.1.0 |
| 18 Physical & Environmental Security | 18110.08j1Organizational.5-08.j | 18110.08j1Organizational.5-08.j 08.02 Equipment Security | Implement cryptographic mechanisms | 1.1.0 |
| 18 Physical & Environmental Security | 18110.08j1Organizational.5-08.j | 18110.08j1Organizational.5-08.j 08.02 Equipment Security | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 18 Physical & Environmental Security | 18110.08j1Organizational.5-08.j | 18110.08j1Organizational.5-08.j 08.02 Equipment Security | Perform all non-local maintenance | 1.1.0 |
| 18 Physical & Environmental Security | 18111.08j1Organizational.6-08.j | 18111.08j1Organizational.6-08.j 08.02 Equipment Security | Provide timely maintenance support | 1.1.0 |
| 18 Physical & Environmental Security | 18112.08j3Organizational.4-08.j | 18112.08j3Organizational.4-08.j 08.02 Equipment Security | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 18 Physical & Environmental Security | 18112.08j3Organizational.4-08.j | 18112.08j3Organizational.4-08.j 08.02 Equipment Security | Review and update information integrity policies and procedures | 1.1.0 |
| 18 Physical & Environmental Security | 18112.08j3Organizational.4-08.j | 18112.08j3Organizational.4-08.j 08.02 Equipment Security | Review and update system maintenance policies and procedures | 1.1.0 |
| 18 Physical & Environmental Security | 1812.08b3Organizational.46-08.b | 1812.08b3Organizational.46-08.b 08.01 Secure Areas | Document wireless access security controls | 1.1.0 |
| 18 Physical & Environmental Security | 1812.08b3Organizational.46-08.b | 1812.08b3Organizational.46-08.b 08.01 Secure Areas | Install an alarm system | 1.1.0 |
| 18 Physical & Environmental Security | 1812.08b3Organizational.46-08.b | 1812.08b3Organizational.46-08.b 08.01 Secure Areas | Manage a secure surveillance camera system | 1.1.0 |
| 18 Physical & Environmental Security | 18127.08l1Organizational.3-08.l | 18127.08l1Organizational.3-08.l 08.02 Equipment Security | Employ a media sanitization mechanism | 1.1.0 |
| 18 Physical & Environmental Security | 1813.08b3Organizational.56-08.b | 1813.08b3Organizational.56-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1813.08b3Organizational.56-08.b | 1813.08b3Organizational.56-08.b 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1813.08b3Organizational.56-08.b | 1813.08b3Organizational.56-08.b 08.01 Secure Areas | Install an alarm system | 1.1.0 |
| 18 Physical & Environmental Security | 1813.08b3Organizational.56-08.b | 1813.08b3Organizational.56-08.b 08.01 Secure Areas | Manage a secure surveillance camera system | 1.1.0 |
| 18 Physical & Environmental Security | 18130.09p1Organizational.24-09.p | 18130.09p1Organizational.24-09.p 09.07 Media Handling | Employ a media sanitization mechanism | 1.1.0 |
| 18 Physical & Environmental Security | 1814.08d1Organizational.12-08.d | 1814.08d1Organizational.12-08.d 08.01 Secure Areas | Implement a penetration testing methodology | 1.1.0 |
| 18 Physical & Environmental Security | 1814.08d1Organizational.12-08.d | 1814.08d1Organizational.12-08.d 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1814.08d1Organizational.12-08.d | 1814.08d1Organizational.12-08.d 08.01 Secure Areas | Run simulation attacks | 1.1.0 |
| 18 Physical & Environmental Security | 18145.08b3Organizational.7-08.b | 18145.08b3Organizational.7-08.b 08.01 Secure Areas | Install an alarm system | 1.1.0 |
| 18 Physical & Environmental Security | 18145.08b3Organizational.7-08.b | 18145.08b3Organizational.7-08.b 08.01 Secure Areas | Manage a secure surveillance camera system | 1.1.0 |
| 18 Physical & Environmental Security | 18146.08b3Organizational.8-08.b | 18146.08b3Organizational.8-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 18146.08b3Organizational.8-08.b | 18146.08b3Organizational.8-08.b 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 18146.08b3Organizational.8-08.b | 18146.08b3Organizational.8-08.b 08.01 Secure Areas | Install an alarm system | 1.1.0 |
| 18 Physical & Environmental Security | 18146.08b3Organizational.8-08.b | 18146.08b3Organizational.8-08.b 08.01 Secure Areas | Manage a secure surveillance camera system | 1.1.0 |
| 18 Physical & Environmental Security | 1815.08d2Organizational.123-08.d | 1815.08d2Organizational.123-08.d 08.01 Secure Areas | Implement a penetration testing methodology | 1.1.0 |
| 18 Physical & Environmental Security | 1815.08d2Organizational.123-08.d | 1815.08d2Organizational.123-08.d 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1815.08d2Organizational.123-08.d | 1815.08d2Organizational.123-08.d 08.01 Secure Areas | Run simulation attacks | 1.1.0 |
| 18 Physical & Environmental Security | 1816.08d2Organizational.4-08.d | 1816.08d2Organizational.4-08.d 08.01 Secure Areas | Implement controls to secure alternate work sites | 1.1.0 |
| 18 Physical & Environmental Security | 1816.08d2Organizational.4-08.d | 1816.08d2Organizational.4-08.d 08.01 Secure Areas | Install an alarm system | 1.1.0 |
| 18 Physical & Environmental Security | 1816.08d2Organizational.4-08.d | 1816.08d2Organizational.4-08.d 08.01 Secure Areas | Manage a secure surveillance camera system | 1.1.0 |
| 18 Physical & Environmental Security | 1816.08d2Organizational.4-08.d | 1816.08d2Organizational.4-08.d 08.01 Secure Areas | Manage the transportation of assets | 1.1.0 |
| 18 Physical & Environmental Security | 1817.08d3Organizational.12-08.d | 1817.08d3Organizational.12-08.d 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1818.08d3Organizational.3-08.d | 1818.08d3Organizational.3-08.d 08.01 Secure Areas | Implement a penetration testing methodology | 1.1.0 |
| 18 Physical & Environmental Security | 1818.08d3Organizational.3-08.d | 1818.08d3Organizational.3-08.d 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1818.08d3Organizational.3-08.d | 1818.08d3Organizational.3-08.d 08.01 Secure Areas | Run simulation attacks | 1.1.0 |
| 18 Physical & Environmental Security | 1819.08j1Organizational.23-08.j | 1819.08j1Organizational.23-08.j 08.02 Equipment Security | Automate remote maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1819.08j1Organizational.23-08.j | 1819.08j1Organizational.23-08.j 08.02 Equipment Security | Control maintenance and repair activities | 1.1.0 |
| 18 Physical & Environmental Security | 1819.08j1Organizational.23-08.j | 1819.08j1Organizational.23-08.j 08.02 Equipment Security | Designate personnel to supervise unauthorized maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1819.08j1Organizational.23-08.j | 1819.08j1Organizational.23-08.j 08.02 Equipment Security | Maintain list of authorized remote maintenance personnel | 1.1.0 |
| 18 Physical & Environmental Security | 1819.08j1Organizational.23-08.j | 1819.08j1Organizational.23-08.j 08.02 Equipment Security | Manage maintenance personnel | 1.1.0 |
| 18 Physical & Environmental Security | 1819.08j1Organizational.23-08.j | 1819.08j1Organizational.23-08.j 08.02 Equipment Security | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 18 Physical & Environmental Security | 1819.08j1Organizational.23-08.j | 1819.08j1Organizational.23-08.j 08.02 Equipment Security | Produce complete records of remote maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1820.08j2Organizational.1-08.j | 1820.08j2Organizational.1-08.j 08.02 Equipment Security | Control maintenance and repair activities | 1.1.0 |
| 18 Physical & Environmental Security | 1820.08j2Organizational.1-08.j | 1820.08j2Organizational.1-08.j 08.02 Equipment Security | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 18 Physical & Environmental Security | 1821.08j2Organizational.3-08.j | 1821.08j2Organizational.3-08.j 08.02 Equipment Security | Automate remote maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1821.08j2Organizational.3-08.j | 1821.08j2Organizational.3-08.j 08.02 Equipment Security | Control maintenance and repair activities | 1.1.0 |
| 18 Physical & Environmental Security | 1821.08j2Organizational.3-08.j | 1821.08j2Organizational.3-08.j 08.02 Equipment Security | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 18 Physical & Environmental Security | 1821.08j2Organizational.3-08.j | 1821.08j2Organizational.3-08.j 08.02 Equipment Security | Produce complete records of remote maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1822.08j2Organizational.2-08.j | 1822.08j2Organizational.2-08.j 08.02 Equipment Security | Automate remote maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1822.08j2Organizational.2-08.j | 1822.08j2Organizational.2-08.j 08.02 Equipment Security | Control maintenance and repair activities | 1.1.0 |
| 18 Physical & Environmental Security | 1822.08j2Organizational.2-08.j | 1822.08j2Organizational.2-08.j 08.02 Equipment Security | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 18 Physical & Environmental Security | 1822.08j2Organizational.2-08.j | 1822.08j2Organizational.2-08.j 08.02 Equipment Security | Produce complete records of remote maintenance activities | 1.1.0 |
| 18 Physical & Environmental Security | 1823.08j3Organizational.12-08.j | 1823.08j3Organizational.12-08.j 08.02 Equipment Security | Control maintenance and repair activities | 1.1.0 |
| 18 Physical & Environmental Security | 1823.08j3Organizational.12-08.j | 1823.08j3Organizational.12-08.j 08.02 Equipment Security | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 18 Physical & Environmental Security | 1824.08j3Organizational.3-08.j | 1824.08j3Organizational.3-08.j 08.02 Equipment Security | Control maintenance and repair activities | 1.1.0 |
| 18 Physical & Environmental Security | 1824.08j3Organizational.3-08.j | 1824.08j3Organizational.3-08.j 08.02 Equipment Security | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| 18 Physical & Environmental Security | 1826.09p1Organizational.1-09.p | 1826.09p1Organizational.1-09.p 09.07 Media Handling | Adhere to retention periods defined | 1.1.0 |
| 18 Physical & Environmental Security | 1826.09p1Organizational.1-09.p | 1826.09p1Organizational.1-09.p 09.07 Media Handling | Perform disposition review | 1.1.0 |
| 18 Physical & Environmental Security | 1826.09p1Organizational.1-09.p | 1826.09p1Organizational.1-09.p 09.07 Media Handling | Verify personal data is deleted at the end of processing | 1.1.0 |
| 18 Physical & Environmental Security | 1844.08b1Organizational.6-08.b | 1844.08b1Organizational.6-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1845.08b1Organizational.7-08.b | 1845.08b1Organizational.7-08.b 08.01 Secure Areas | Control physical access | 1.1.0 |
| 18 Physical & Environmental Security | 1845.08b1Organizational.7-08.b | 1845.08b1Organizational.7-08.b 08.01 Secure Areas | Define a physical key management process | 1.1.0 |
| 18 Physical & Environmental Security | 1845.08b1Organizational.7-08.b | 1845.08b1Organizational.7-08.b 08.01 Secure Areas | Establish and maintain an asset inventory | 1.1.0 |
| 18 Physical & Environmental Security | 1845.08b1Organizational.7-08.b | 1845.08b1Organizational.7-08.b 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1846.08b2Organizational.8-08.b | 1846.08b2Organizational.8-08.b 08.01 Secure Areas | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 18 Physical & Environmental Security | 1847.08b2Organizational.910-08.b | 1847.08b2Organizational.910-08.b 08.01 Secure Areas | Define a physical key management process | 1.1.0 |
| 18 Physical & Environmental Security | 1847.08b2Organizational.910-08.b | 1847.08b2Organizational.910-08.b 08.01 Secure Areas | Establish and maintain an asset inventory | 1.1.0 |
| 18 Physical & Environmental Security | 1848.08b2Organizational.11-08.b | 1848.08b2Organizational.11-08.b 08.01 Secure Areas | Define a physical key management process | 1.1.0 |
| 18 Physical & Environmental Security | 1862.08d1Organizational.3-08.d | 1862.08d1Organizational.3-08.d 08.01 Secure Areas | Implement a penetration testing methodology | 1.1.0 |
| 18 Physical & Environmental Security | 1862.08d1Organizational.3-08.d | 1862.08d1Organizational.3-08.d 08.01 Secure Areas | Run simulation attacks | 1.1.0 |
| 18 Physical & Environmental Security | 1862.08d3Organizational.3 | 1862.08d3Organizational.3 08.01 Secure Areas | Implement a penetration testing methodology | 1.1.0 |
| 18 Physical & Environmental Security | 1862.08d3Organizational.3 | 1862.08d3Organizational.3 08.01 Secure Areas | Review and update physical and environmental policies and procedures | 1.1.0 |
| 18 Physical & Environmental Security | 1892.01l1Organizational.1 | 1892.01l1Organizational.1 01.04 Network Access Control | Define a physical key management process | 1.1.0 |
| 18 Physical & Environmental Security | 1892.01l1Organizational.1 | 1892.01l1Organizational.1 01.04 Network Access Control | Establish and maintain an asset inventory | 1.1.0 |
| 19 Data Protection & Privacy | 1901.06d1Organizational.1-06.d | 1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements | Appoint a senior information security officer | 1.1.0 |
| 19 Data Protection & Privacy | 1901.06d1Organizational.1-06.d | 1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements | Establish a privacy program | 1.1.0 |
| 19 Data Protection & Privacy | 1901.06d1Organizational.1-06.d | 1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements | Manage compliance activities | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Define the duties of processors | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Document and distribute a privacy policy | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Implement privacy notice delivery methods | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Keep accurate accounting of disclosures of information | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Make accounting of disclosures available upon request | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Provide privacy notice | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Record disclosures of PII to third parties | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Restrict communications | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Retain accounting of disclosures of information | 1.1.0 |
| 19 Data Protection & Privacy | 1902.06d1Organizational.2-06.d | 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements | Train staff on PII sharing and its consequences | 1.1.0 |
| 19 Data Protection & Privacy | 1903.06d1Organizational.3456711-06.d | 1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements | Define cryptographic use | 1.1.0 |
| 19 Data Protection & Privacy | 1903.06d1Organizational.3456711-06.d | 1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements | Establish a data leakage management procedure | 1.1.0 |
| 19 Data Protection & Privacy | 1903.06d1Organizational.3456711-06.d | 1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements | Implement training for protecting authenticators | 1.1.0 |
| 19 Data Protection & Privacy | 1903.06d1Organizational.3456711-06.d | 1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements | Notify users of system logon or access | 1.1.0 |
| 19 Data Protection & Privacy | 1903.06d1Organizational.3456711-06.d | 1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements | Protect special information | 1.1.0 |
| 19 Data Protection & Privacy | 1904.06.d2Organizational.1-06.d | 1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements | Adhere to retention periods defined | 1.1.0 |
| 19 Data Protection & Privacy | 1904.06.d2Organizational.1-06.d | 1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements | Perform disposition review | 1.1.0 |
| 19 Data Protection & Privacy | 1904.06.d2Organizational.1-06.d | 1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements | Verify personal data is deleted at the end of processing | 1.1.0 |
| 19 Data Protection & Privacy | 1906.06.c1Organizational.2-06.c | 1906.06.c1Organizational.2-06.c 06.01 Compliance with Legal Requirements | Make SORNs available publicly | 1.1.0 |
| 19 Data Protection & Privacy | 1906.06.c1Organizational.2-06.c | 1906.06.c1Organizational.2-06.c 06.01 Compliance with Legal Requirements | Provide formal notice to individuals | 1.1.0 |
| 19 Data Protection & Privacy | 1906.06.c1Organizational.2-06.c | 1906.06.c1Organizational.2-06.c 06.01 Compliance with Legal Requirements | Provide privacy notice to the public and to individuals | 1.1.0 |
| 19 Data Protection & Privacy | 1906.06.c1Organizational.2-06.c | 1906.06.c1Organizational.2-06.c 06.01 Compliance with Legal Requirements | Publish SORNs for systems containing PII | 1.1.0 |
| 19 Data Protection & Privacy | 1907.06.c1Organizational.3-06.c | 1907.06.c1Organizational.3-06.c 06.01 Compliance with Legal Requirements | Keep SORNs updated | 1.1.0 |
| 19 Data Protection & Privacy | 1907.06.c1Organizational.3-06.c | 1907.06.c1Organizational.3-06.c 06.01 Compliance with Legal Requirements | Make SORNs available publicly | 1.1.0 |
| 19 Data Protection & Privacy | 1907.06.c1Organizational.3-06.c | 1907.06.c1Organizational.3-06.c 06.01 Compliance with Legal Requirements | Provide formal notice to individuals | 1.1.0 |
| 19 Data Protection & Privacy | 1907.06.c1Organizational.3-06.c | 1907.06.c1Organizational.3-06.c 06.01 Compliance with Legal Requirements | Publish SORNs for systems containing PII | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Adhere to retention periods defined | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Conduct backup of information system documentation | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Establish backup policies and procedures | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Keep SORNs updated | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Make SORNs available publicly | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Manage the input, output, processing, and storage of data | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Provide formal notice to individuals | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Publish SORNs for systems containing PII | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Retain security policies and procedures | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Retain terminated user data | 1.1.0 |
| 19 Data Protection & Privacy | 1908.06.c1Organizational.4-06.c | 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements | Review label activity and analytics | 1.1.0 |
| 19 Data Protection & Privacy | 1911.06d1Organizational.13-06.d | 1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements | Document the legal basis for processing personal information | 1.1.0 |
| 19 Data Protection & Privacy | 1911.06d1Organizational.13-06.d | 1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements | Establish terms and conditions for processing resources | 1.1.0 |
| 19 Data Protection & Privacy | 1911.06d1Organizational.13-06.d | 1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements | Evaluate and review PII holdings regularly | 1.1.0 |
| 19 Data Protection & Privacy | 1911.06d1Organizational.13-06.d | 1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| 19 Data Protection & Privacy | 1911.06d1Organizational.13-06.d | 1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements | Remove or redact any PII | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Appoint a senior information security officer | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Develop and establish a system security plan | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Establish a privacy program | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Implement security engineering principles of information systems | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Information security and personal data protection | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Manage compliance activities | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Review content prior to posting publicly accessible information | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Review publicly accessible content for nonpublic information | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Train personnel on disclosure of nonpublic information | 1.1.0 |
| 19 Data Protection & Privacy | 19134.05j1Organizational.5-05.j | 19134.05j1Organizational.5-05.j 05.02 External Parties | Update privacy plan, policies, and procedures | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Authorize access to security functions and information | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Authorize and manage access | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Conduct backup of information system documentation | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Enforce logical access | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Establish backup policies and procedures | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Implement transaction based recovery | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Manage the input, output, processing, and storage of data | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Require approval for account creation | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Review label activity and analytics | 1.1.0 |
| 19 Data Protection & Privacy | 19141.06c1Organizational.7-06.c | 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements | Review user groups and applications with access to sensitive data | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Adhere to retention periods defined | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Control use of portable storage devices | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Manage the input, output, processing, and storage of data | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Perform disposition review | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Restrict media use | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Retain security policies and procedures | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Retain terminated user data | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Review label activity and analytics | 1.1.0 |
| 19 Data Protection & Privacy | 19142.06c1Organizational.8-06.c | 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements | Verify personal data is deleted at the end of processing | 1.1.0 |
| 19 Data Protection & Privacy | 19143.06c1Organizational.9-06.c | 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements | Appoint a senior information security officer | 1.1.0 |
| 19 Data Protection & Privacy | 19143.06c1Organizational.9-06.c | 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements | Categorize information | 1.1.0 |
| 19 Data Protection & Privacy | 19143.06c1Organizational.9-06.c | 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements | Develop business classification schemes | 1.1.0 |
| 19 Data Protection & Privacy | 19143.06c1Organizational.9-06.c | 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements | Develop SSP that meets criteria | 1.1.0 |
| 19 Data Protection & Privacy | 19143.06c1Organizational.9-06.c | 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements | Ensure security categorization is approved | 1.1.0 |
| 19 Data Protection & Privacy | 19143.06c1Organizational.9-06.c | 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements | Review label activity and analytics | 1.1.0 |
| 19 Data Protection & Privacy | 19144.06c2Organizational.1-06.c | 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements | Adhere to retention periods defined | 1.1.0 |
| 19 Data Protection & Privacy | 19144.06c2Organizational.1-06.c | 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements | Manage the input, output, processing, and storage of data | 1.1.0 |
| 19 Data Protection & Privacy | 19144.06c2Organizational.1-06.c | 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements | Perform disposition review | 1.1.0 |
| 19 Data Protection & Privacy | 19144.06c2Organizational.1-06.c | 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements | Retain security policies and procedures | 1.1.0 |
| 19 Data Protection & Privacy | 19144.06c2Organizational.1-06.c | 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements | Retain terminated user data | 1.1.0 |
| 19 Data Protection & Privacy | 19144.06c2Organizational.1-06.c | 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements | Review label activity and analytics | 1.1.0 |
| 19 Data Protection & Privacy | 19144.06c2Organizational.1-06.c | 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements | Verify personal data is deleted at the end of processing | 1.1.0 |
| 19 Data Protection & Privacy | 19145.06c2Organizational.2-06.c | 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements | Adhere to retention periods defined | 1.1.0 |
| 19 Data Protection & Privacy | 19145.06c2Organizational.2-06.c | 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements | Conduct backup of information system documentation | 1.1.0 |
| 19 Data Protection & Privacy | 19145.06c2Organizational.2-06.c | 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements | Manage the input, output, processing, and storage of data | 1.1.0 |
| 19 Data Protection & Privacy | 19145.06c2Organizational.2-06.c | 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements | Perform disposition review | 1.1.0 |
| 19 Data Protection & Privacy | 19145.06c2Organizational.2-06.c | 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements | Retain security policies and procedures | 1.1.0 |
| 19 Data Protection & Privacy | 19145.06c2Organizational.2-06.c | 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements | Retain terminated user data | 1.1.0 |
| 19 Data Protection & Privacy | 19145.06c2Organizational.2-06.c | 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements | Review label activity and analytics | 1.1.0 |
| 19 Data Protection & Privacy | 19145.06c2Organizational.2-06.c | 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements | Verify personal data is deleted at the end of processing | 1.1.0 |
| 19 Data Protection & Privacy | 19242.06d1Organizational.14-06.d | 19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements | Document the legal basis for processing personal information | 1.1.0 |
| 19 Data Protection & Privacy | 19242.06d1Organizational.14-06.d | 19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements | Evaluate and review PII holdings regularly | 1.1.0 |
| 19 Data Protection & Privacy | 19242.06d1Organizational.14-06.d | 19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| 19 Data Protection & Privacy | 19242.06d1Organizational.14-06.d | 19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements | Remove or redact any PII | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Automate privacy controls | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Document the legal basis for processing personal information | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Evaluate and review PII holdings regularly | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Implement privacy notice delivery methods | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Information security and personal data protection | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Provide privacy notice | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Remove or redact any PII | 1.1.0 |
| 19 Data Protection & Privacy | 19243.06d1Organizational.15-06.d | 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements | Restrict communications | 1.1.0 |
| 19 Data Protection & Privacy | 19245.06d2Organizational.2-06.d | 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements | Confirm quality and integrity of PII | 1.1.0 |
| 19 Data Protection & Privacy | 19245.06d2Organizational.2-06.d | 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements | Document the legal basis for processing personal information | 1.1.0 |
| 19 Data Protection & Privacy | 19245.06d2Organizational.2-06.d | 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements | Evaluate and review PII holdings regularly | 1.1.0 |
| 19 Data Protection & Privacy | 19245.06d2Organizational.2-06.d | 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements | Issue guidelines for ensuring data quality and integrity | 1.1.0 |
| 19 Data Protection & Privacy | 19245.06d2Organizational.2-06.d | 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements | Maintain records of processing of personal data | 1.1.0 |
| 19 Data Protection & Privacy | 19245.06d2Organizational.2-06.d | 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| 19 Data Protection & Privacy | 19245.06d2Organizational.2-06.d | 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements | Publish Computer Matching Agreements on public website | 1.1.0 |
IRS 1075 September 2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.
ISO 27001:2013
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | Define cryptographic use | 1.1.0 |
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | Document and distribute a privacy policy | 1.1.0 |
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | Implement privacy notice delivery methods | 1.1.0 |
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | Provide privacy notice | 1.1.0 |
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | Restrict communications | 1.1.0 |
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | Review and update system and communications protection policies and procedures | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Define a physical key management process | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Define cryptographic use | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Define organizational requirements for cryptographic key management | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Determine assertion requirements | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Document security strength requirements in acquisition contracts | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Establish a password policy | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Identify actions allowed without authentication | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Identify and authenticate non-organizational users | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Implement parameters for memorized secret verifiers | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Issue public key certificates | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Manage symmetric cryptographic keys | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Protect passwords with encryption | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Restrict access to private keys | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Review and update system and communications protection policies and procedures | 1.1.0 |
| Cryptography | 10.1.2 | Key Management | Terminate customer controlled account credentials | 1.1.0 |
| Physical And Environmental Security | 11.1.1 | Physical security perimeter | Adopt biometric authentication mechanisms | 1.1.0 |
| Physical And Environmental Security | 11.1.1 | Physical security perimeter | Control physical access | 1.1.0 |
| Physical And Environmental Security | 11.1.1 | Physical security perimeter | Define a physical key management process | 1.1.0 |
| Physical And Environmental Security | 11.1.1 | Physical security perimeter | Establish and maintain an asset inventory | 1.1.0 |
| Physical And Environmental Security | 11.1.1 | Physical security perimeter | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Security | 11.1.1 | Physical security perimeter | Install an alarm system | 1.1.0 |
| Physical And Environmental Security | 11.1.1 | Physical security perimeter | Manage a secure surveillance camera system | 1.1.0 |
| Physical And Environmental Security | 11.1.1 | Physical security perimeter | Review and update physical and environmental policies and procedures | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Adopt biometric authentication mechanisms | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Control physical access | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Define a physical key management process | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Designate personnel to supervise unauthorized maintenance activities | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Establish and maintain an asset inventory | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Maintain list of authorized remote maintenance personnel | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Manage maintenance personnel | 1.1.0 |
| Physical And Environmental Security | 11.1.2 | Physical entry controls | Manage the input, output, processing, and storage of data | 1.1.0 |
| Physical And Environmental Security | 11.1.3 | Securing offices, rooms and facilities | Adopt biometric authentication mechanisms | 1.1.0 |
| Physical And Environmental Security | 11.1.3 | Securing offices, rooms and facilities | Control physical access | 1.1.0 |
| Physical And Environmental Security | 11.1.3 | Securing offices, rooms and facilities | Define a physical key management process | 1.1.0 |
| Physical And Environmental Security | 11.1.3 | Securing offices, rooms and facilities | Establish and maintain an asset inventory | 1.1.0 |
| Physical And Environmental Security | 11.1.3 | Securing offices, rooms and facilities | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Create separate alternate and primary storage sites | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Ensure information system fails in known state | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Establish an alternate processing site | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Install an alarm system | 1.1.0 |
| Physical And Environmental Security | 11.1.4 | Protecting against external and environmental threats | Plan for continuance of essential business functions | 1.1.0 |
| Physical And Environmental Security | 11.1.5 | Working in secure areas | Coordinate contingency plans with related plans | 1.1.0 |
| Physical And Environmental Security | 11.1.5 | Working in secure areas | Review and update contingency planning policies and procedures | 1.1.0 |
| Physical And Environmental Security | 11.1.5 | Working in secure areas | Review and update physical and environmental policies and procedures | 1.1.0 |
| Physical And Environmental Security | 11.1.6 | Delivering and loading areas | Adopt biometric authentication mechanisms | 1.1.0 |
| Physical And Environmental Security | 11.1.6 | Delivering and loading areas | Define requirements for managing assets | 1.1.0 |
| Physical And Environmental Security | 11.1.6 | Delivering and loading areas | Install an alarm system | 1.1.0 |
| Physical And Environmental Security | 11.1.6 | Delivering and loading areas | Manage a secure surveillance camera system | 1.1.0 |
| Physical And Environmental Security | 11.1.6 | Delivering and loading areas | Manage the transportation of assets | 1.1.0 |
| Physical And Environmental Security | 11.2.1 | Equipment sitting and protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Security | 11.2.2 | Supporting utilities | Employ automatic emergency lighting | 1.1.0 |
| Physical And Environmental Security | 11.2.2 | Supporting utilities | Establish requirements for internet service providers | 1.1.0 |
| Physical And Environmental Security | 11.2.2 | Supporting utilities | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Security | 11.2.3 | Cabling security | Adopt biometric authentication mechanisms | 1.1.0 |
| Physical And Environmental Security | 11.2.3 | Cabling security | Control physical access | 1.1.0 |
| Physical And Environmental Security | 11.2.3 | Cabling security | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Security | 11.2.3 | Cabling security | Manage the input, output, processing, and storage of data | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Automate remote maintenance activities | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Control maintenance and repair activities | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Document personnel acceptance of privacy requirements | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Employ a media sanitization mechanism | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Implement controls to secure all media | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Produce complete records of remote maintenance activities | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Provide privacy training | 1.1.0 |
| Physical And Environmental Security | 11.2.4 | Equipment maintenance | Provide timely maintenance support | 1.1.0 |
| Physical And Environmental Security | 11.2.5 | Removal of assets | Control maintenance and repair activities | 1.1.0 |
| Physical And Environmental Security | 11.2.5 | Removal of assets | Define requirements for managing assets | 1.1.0 |
| Physical And Environmental Security | 11.2.5 | Removal of assets | Employ a media sanitization mechanism | 1.1.0 |
| Physical And Environmental Security | 11.2.5 | Removal of assets | Implement controls to secure all media | 1.1.0 |
| Physical And Environmental Security | 11.2.5 | Removal of assets | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Physical And Environmental Security | 11.2.5 | Removal of assets | Manage the transportation of assets | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Define mobile device requirements | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Establish terms and conditions for accessing resources | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Establish terms and conditions for processing resources | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Implement controls to secure all media | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Implement controls to secure alternate work sites | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Manage the transportation of assets | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Not allow for information systems to accompany with individuals | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Protect data in transit using encryption | 1.1.0 |
| Physical And Environmental Security | 11.2.6 | Security of equipment and assets off-premises | Verify security controls for external information systems | 1.1.0 |
| Physical And Environmental Security | 11.2.7 | Secure disposal or re-use of equipment | Adhere to retention periods defined | 1.1.0 |
| Physical And Environmental Security | 11.2.7 | Secure disposal or re-use of equipment | Employ a media sanitization mechanism | 1.1.0 |
| Physical And Environmental Security | 11.2.7 | Secure disposal or re-use of equipment | Implement controls to secure all media | 1.1.0 |
| Physical And Environmental Security | 11.2.7 | Secure disposal or re-use of equipment | Perform disposition review | 1.1.0 |
| Physical And Environmental Security | 11.2.7 | Secure disposal or re-use of equipment | Verify personal data is deleted at the end of processing | 1.1.0 |
| Physical And Environmental Security | 11.2.8 | Unattended user equipment | Provide privacy training | 1.1.0 |
| Physical And Environmental Security | 11.2.8 | Unattended user equipment | Terminate user session automatically | 1.1.0 |
| Physical And Environmental Security | 11.2.9 | Clear desk and clear screen policy | Employ a media sanitization mechanism | 1.1.0 |
| Physical And Environmental Security | 11.2.9 | Clear desk and clear screen policy | Implement controls to secure all media | 1.1.0 |
| Physical And Environmental Security | 11.2.9 | Clear desk and clear screen policy | Provide privacy training | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Develop access control policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Develop and establish a system security plan | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Develop audit and accountability policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Develop information security policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Distribute information system documentation | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Document customer-defined actions | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Document security and privacy training activities | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Govern policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Implement security engineering principles of information systems | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Obtain Admin documentation | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Obtain user security function documentation | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Protect administrator and user documentation | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Provide privacy training | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review access control policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update configuration management policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update contingency planning policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update identification and authentication policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update incident response policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update information integrity policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update media protection policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update personnel security policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update physical and environmental policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update planning policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update risk assessment policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update system and communications protection policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review and update system maintenance policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Review security assessment and authorization policies and procedures | 1.1.0 |
| Operations Security | 12.1.1 | Documented operating procedures | Update information security policies | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Address coding vulnerabilities | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Automate approval request for proposed changes | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Automate implementation of approved change notifications | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Automate process to document implemented changes | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Automate process to highlight unreviewed change proposals | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Automate proposed documented changes | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Conduct a security impact analysis | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Develop and document application security requirements | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Develop and maintain a vulnerability management standard | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Document the information system environment in acquisition contracts | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Enforce security configuration settings | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Establish a risk management strategy | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Establish a secure software development program | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Establish and document change control processes | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Establish configuration management requirements for developers | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Install an alarm system | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Perform a privacy impact assessment | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Perform a risk assessment | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Perform audit for configuration change control | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Perform vulnerability scans | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Remediate information system flaws | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Require developers to document approved changes and potential impact | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Require developers to implement only approved changes | 1.1.0 |
| Operations Security | 12.1.2 | Change management | Require developers to manage change integrity | 1.1.0 |
| Operations Security | 12.1.3 | Capacity management | Conduct capacity planning | 1.1.0 |
| Operations Security | 12.1.3 | Capacity management | Govern and monitor audit processing activities | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Conduct a security impact analysis | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Ensure there are no unencrypted static authenticators | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Establish and document change control processes | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Establish configuration management requirements for developers | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Implement controls to protect PII | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Incorporate security and data privacy practices in research processing | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Perform a privacy impact assessment | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Perform audit for configuration change control | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Perform vulnerability scans | 1.1.0 |
| Operations Security | 12.1.4 | Separation of development, testing and operational environments | Remediate information system flaws | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Control maintenance and repair activities | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Manage gateways | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Perform a trend analysis on threats | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Perform vulnerability scans | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Provide periodic security awareness training | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Provide security training for new users | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Provide updated security awareness training | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Review malware detections report weekly | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Review threat protection status weekly | 1.1.0 |
| Operations Security | 12.2.1 | Controls against malware | Update antivirus definitions | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Adhere to retention periods defined | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Conduct backup of information system documentation | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Create separate alternate and primary storage sites | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Ensure information system fails in known state | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Establish an alternate processing site | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Establish backup policies and procedures | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Implement controls to secure all media | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Implement transaction based recovery | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Perform disposition review | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Plan for continuance of essential business functions | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Separately store backup information | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Transfer backup information to an alternate storage site | 1.1.0 |
| Operations Security | 12.3.1 | Information backup | Verify personal data is deleted at the end of processing | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Adhere to retention periods defined | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Alert personnel of information spillage | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Audit privileged functions | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Audit user account status | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Authorize, monitor, and control voip | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Automate account management | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Configure Azure Audit capabilities | 1.1.1 |
| Operations Security | 12.4.1 | Event Logging | Correlate audit records | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Determine auditable events | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Develop an incident response plan | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Discover any indicators of compromise | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Document the legal basis for processing personal information | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Enforce and audit access restrictions | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Establish requirements for audit review and reporting | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Implement methods for consumer requests | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Implement system boundary protection | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Integrate audit review, analysis, and reporting | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Integrate cloud app security with a siem | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Manage gateways | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Manage system and admin accounts | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Monitor access across the organization | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Monitor account activity | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Monitor privileged role assignment | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Notify when account is not needed | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Obtain legal opinion for monitoring system activities | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Perform a trend analysis on threats | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Provide monitoring information as needed | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Publish access procedures in SORNs | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Publish rules and regulations accessing Privacy Act records | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Restrict access to privileged accounts | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Retain security policies and procedures | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Retain terminated user data | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review account provisioning logs | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review administrator assignments weekly | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review and update the events defined in AU-02 | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review audit data | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review changes for any unauthorized changes | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review cloud identity report overview | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review controlled folder access events | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review file and folder activity | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Review role group changes weekly | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Revoke privileged roles as appropriate | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Route traffic through managed network access points | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Operations Security | 12.4.1 | Event Logging | Use privileged identity management | 1.1.0 |
| Operations Security | 12.4.2 | Protection of log information | Adhere to retention periods defined | 1.1.0 |
| Operations Security | 12.4.2 | Protection of log information | Define the duties of processors | 1.1.0 |
| Operations Security | 12.4.2 | Protection of log information | Enable dual or joint authorization | 1.1.0 |
| Operations Security | 12.4.2 | Protection of log information | Perform disposition review | 1.1.0 |
| Operations Security | 12.4.2 | Protection of log information | Protect audit information | 1.1.0 |
| Operations Security | 12.4.2 | Protection of log information | Record disclosures of PII to third parties | 1.1.0 |
| Operations Security | 12.4.2 | Protection of log information | Train staff on PII sharing and its consequences | 1.1.0 |
| Operations Security | 12.4.2 | Protection of log information | Verify personal data is deleted at the end of processing | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Audit privileged functions | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Audit user account status | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Authorize, monitor, and control voip | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Automate account management | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Determine auditable events | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Enable dual or joint authorization | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Implement system boundary protection | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Manage gateways | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Manage system and admin accounts | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Monitor access across the organization | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Monitor account activity | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Monitor privileged role assignment | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Notify when account is not needed | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Obtain legal opinion for monitoring system activities | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Protect audit information | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Provide monitoring information as needed | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Restrict access to privileged accounts | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Review audit data | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Revoke privileged roles as appropriate | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Route traffic through managed network access points | 1.1.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Use privileged identity management | 1.1.0 |
| Operations Security | 12.4.4 | Clock Synchronization | Compile Audit records into system wide audit | 1.1.0 |
| Operations Security | 12.4.4 | Clock Synchronization | Use system clocks for audit records | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Automate approval request for proposed changes | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Automate implementation of approved change notifications | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Automate process to document implemented changes | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Automate process to highlight unreviewed change proposals | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Automate proposed documented changes | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Conduct a security impact analysis | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Develop and maintain a vulnerability management standard | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Enforce security configuration settings | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Establish a risk management strategy | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Establish and document change control processes | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Establish configuration management requirements for developers | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Govern compliance of cloud service providers | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Perform a privacy impact assessment | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Perform a risk assessment | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Perform audit for configuration change control | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | Remediate information system flaws | 1.1.0 |
| Operations Security | 12.5.1 | Installation of software on operational systems | View and configure system diagnostic data | 1.1.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | Conduct Risk Assessment | 1.1.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | Conduct risk assessment and distribute its results | 1.1.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | Conduct risk assessment and document its results | 1.1.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | Incorporate flaw remediation into configuration management | 1.1.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | Perform a risk assessment | 1.1.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | Perform vulnerability scans | 1.1.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | Remediate information system flaws | 1.1.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | Select additional testing for security control assessments | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Automate approval request for proposed changes | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Automate implementation of approved change notifications | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Automate process to document implemented changes | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Automate process to highlight unreviewed change proposals | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Automate proposed documented changes | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Conduct a security impact analysis | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Develop and maintain a vulnerability management standard | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Enforce security configuration settings | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Establish a risk management strategy | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Establish and document change control processes | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Establish configuration management requirements for developers | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Govern compliance of cloud service providers | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Perform a privacy impact assessment | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Perform a risk assessment | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Perform audit for configuration change control | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | Remediate information system flaws | 1.1.0 |
| Operations Security | 12.6.2 | Restrictions on software installation | View and configure system diagnostic data | 1.1.0 |
| Operations Security | 12.7.1 | Information systems audit controls | Employ independent team for penetration testing | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Adopt biometric authentication mechanisms | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Authorize access to security functions and information | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Authorize and manage access | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Authorize remote access | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Configure workstations to check for digital certificates | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Control information flow | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Document and implement wireless access guidelines | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Document mobility training | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Document remote access guidelines | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Employ boundary protection to isolate information systems | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Enforce logical access | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Establish firewall and router configuration standards | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Establish network segmentation for card holder data environment | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Establish terms and conditions for accessing resources | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Establish terms and conditions for processing resources | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Identify and authenticate network devices | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Identify and manage downstream information exchanges | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Implement a fault tolerant name/address service | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Implement controls to secure alternate work sites | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Implement managed interface for each external service | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Implement system boundary protection | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Monitor access across the organization | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Notify users of system logon or access | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Prevent split tunneling for remote devices | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Protect data in transit using encryption | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Protect passwords with encryption | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Protect wireless access | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Provide privacy training | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Provide secure name and address resolution services | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Reauthenticate or terminate a user session | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Require approval for account creation | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Review user groups and applications with access to sensitive data | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Secure the interface to external systems | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Separate user and information system management functionality | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Use dedicated machines for administrative tasks | 1.1.0 |
| Communications Security | 13.1.1 | Network controls | Verify security controls for external information systems | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Adopt biometric authentication mechanisms | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Control information flow | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Define and document government oversight | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Establish electronic signature and certificate requirements | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Establish firewall and router configuration standards | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Establish network segmentation for card holder data environment | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Identify and manage downstream information exchanges | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Implement system boundary protection | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Prevent split tunneling for remote devices | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Require external service providers to comply with security requirements | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Require interconnection security agreements | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Route traffic through managed network access points | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Secure the interface to external systems | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Undergo independent security review | 1.1.0 |
| Communications Security | 13.1.2 | Security of network services | Update interconnection security agreements | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Authorize remote access | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Configure workstations to check for digital certificates | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Control information flow | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Employ boundary protection to isolate information systems | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Establish firewall and router configuration standards | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Establish network segmentation for card holder data environment | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Identify and manage downstream information exchanges | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Implement a fault tolerant name/address service | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Implement managed interface for each external service | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Implement system boundary protection | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Information flow control using security policy filters | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Prevent split tunneling for remote devices | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Provide secure name and address resolution services | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Secure the interface to external systems | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Separate user and information system management functionality | 1.1.0 |
| Communications Security | 13.1.3 | Segregation of networks | Use dedicated machines for administrative tasks | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Authorize remote access | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Configure workstations to check for digital certificates | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Control information flow | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Define mobile device requirements | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Document and implement wireless access guidelines | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Document mobility training | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Document remote access guidelines | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Establish firewall and router configuration standards | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Establish network segmentation for card holder data environment | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Establish terms and conditions for accessing resources | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Establish terms and conditions for processing resources | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Explicitly notify use of collaborative computing devices | 1.1.1 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Identify and manage downstream information exchanges | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Implement a fault tolerant name/address service | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Implement controls to secure alternate work sites | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Implement managed interface for each external service | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Implement system boundary protection | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Information flow control using security policy filters | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Prohibit remote activation of collaborative computing devices | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Protect data in transit using encryption | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Protect passwords with encryption | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Protect wireless access | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Provide privacy training | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Provide secure name and address resolution services | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Require interconnection security agreements | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Secure the interface to external systems | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Update interconnection security agreements | 1.1.0 |
| Communications Security | 13.2.1 | Information transfer policies and procedures | Verify security controls for external information systems | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Define and document government oversight | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Document personnel acceptance of privacy requirements | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Identify external service providers | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Implement privacy notice delivery methods | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Provide privacy notice | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Require external service providers to comply with security requirements | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Require interconnection security agreements | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Undergo independent security review | 1.1.0 |
| Communications Security | 13.2.2 | Agreements on information transfer | Update interconnection security agreements | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Configure workstations to check for digital certificates | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Control information flow | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Establish firewall and router configuration standards | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Establish network segmentation for card holder data environment | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Identify and manage downstream information exchanges | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Implement a fault tolerant name/address service | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Protect data in transit using encryption | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Protect passwords with encryption | 1.1.0 |
| Communications Security | 13.2.3 | Electronic messaging | Provide secure name and address resolution services | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Develop acceptable use policies and procedures | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Develop organization code of conduct policy | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Develop security safeguards | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Document organizational access agreements | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Document personnel acceptance of privacy requirements | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Enforce rules of behavior and access agreements | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Ensure access agreements are signed or resigned timely | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Prohibit unfair practices | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Require users to sign access agreement | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Review and sign revised rules of behavior | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Update information security policies | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Update organizational access agreements | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Update rules of behavior and access agreements | 1.1.0 |
| Communications Security | 13.2.4 | Confidentiality or non-disclosure agreements | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Define information security roles and responsibilities | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Determine supplier contract obligations | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Develop a concept of operations (CONOPS) | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Develop and establish a system security plan | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Develop information security policies and procedures | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Develop SSP that meets criteria | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document acquisition contract acceptance criteria | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document protection of personal data in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document protection of security information in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document requirements for the use of shared data in contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document security assurance requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document security documentation requirements in acquisition contract | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document security functional requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document security strength requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document the information system environment in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Document the protection of cardholder data in third party contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Establish a privacy program | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Identify external service providers | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Identify individuals with security roles and responsibilities | 1.1.1 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Implement security engineering principles of information systems | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Integrate risk management process into SDLC | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Review and update the information security architecture | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.1 | Information security requirements analysis and specification | Review development process, standards and tools | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Adopt biometric authentication mechanisms | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Authorize access to security functions and information | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Authorize and manage access | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Authorize remote access | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Configure workstations to check for digital certificates | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Control information flow | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Define cryptographic use | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Document mobility training | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Document remote access guidelines | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Employ flow control mechanisms of encrypted information | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Enforce logical access | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Enforce mandatory and discretionary access control policies | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Enforce user uniqueness | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Establish firewall and router configuration standards | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Establish network segmentation for card holder data environment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Identify and authenticate network devices | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Identify and authenticate non-organizational users | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Identify and manage downstream information exchanges | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Implement a fault tolerant name/address service | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Implement controls to secure all media | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Implement controls to secure alternate work sites | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Information flow control using security policy filters | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Monitor access across the organization | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Notify users of system logon or access | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Protect data in transit using encryption | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Protect passwords with encryption | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Provide privacy training | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Provide secure name and address resolution services | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Require approval for account creation | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Review user groups and applications with access to sensitive data | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.2 | Securing application services on public networks | Support personal verification credentials issued by legal authorities | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Authorize access to security functions and information | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Authorize and manage access | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Authorize remote access | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Configure workstations to check for digital certificates | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Control information flow | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Define cryptographic use | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Employ boundary protection to isolate information systems | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Employ flow control mechanisms of encrypted information | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Enforce logical access | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Enforce mandatory and discretionary access control policies | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Enforce user uniqueness | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Establish firewall and router configuration standards | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Establish network segmentation for card holder data environment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Identify and authenticate non-organizational users | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Identify and manage downstream information exchanges | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Implement a fault tolerant name/address service | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Implement system boundary protection | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Information flow control using security policy filters | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Prevent split tunneling for remote devices | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Protect data in transit using encryption | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Protect passwords with encryption | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Provide secure name and address resolution services | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Require approval for account creation | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Review user groups and applications with access to sensitive data | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Secure the interface to external systems | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Separate user and information system management functionality | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Support personal verification credentials issued by legal authorities | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.1.3 | Protecting application services transactions | Use dedicated machines for administrative tasks | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.1 | Secure development policy | Define information security roles and responsibilities | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.1 | Secure development policy | Identify individuals with security roles and responsibilities | 1.1.1 |
| System Acquisition, Development And Maintenance | 14.2.1 | Secure development policy | Integrate risk management process into SDLC | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.1 | Secure development policy | Require developers to build security architecture | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.1 | Secure development policy | Require developers to describe accurate security functionality | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.1 | Secure development policy | Require developers to provide unified security protection approach | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.1 | Secure development policy | Review development process, standards and tools | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Address coding vulnerabilities | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Automate approval request for proposed changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Automate implementation of approved change notifications | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Automate process to document implemented changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Automate process to highlight unreviewed change proposals | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Automate proposed documented changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Conduct a security impact analysis | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Develop and document application security requirements | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Develop and maintain a vulnerability management standard | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Document the information system environment in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Enforce security configuration settings | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Establish a risk management strategy | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Establish a secure software development program | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Establish and document change control processes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Establish configuration management requirements for developers | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Incorporate flaw remediation into configuration management | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Perform a privacy impact assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Perform a risk assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Perform audit for configuration change control | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Perform vulnerability scans | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Remediate information system flaws | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Require developers to document approved changes and potential impact | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Require developers to implement only approved changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.2 | System change control procedures | Require developers to manage change integrity | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Automate approval request for proposed changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Automate implementation of approved change notifications | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Automate process to document implemented changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Automate process to highlight unreviewed change proposals | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Automate proposed documented changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Conduct a security impact analysis | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Develop and maintain a vulnerability management standard | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Enforce security configuration settings | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Establish a risk management strategy | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Establish and document change control processes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Establish configuration management requirements for developers | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Incorporate flaw remediation into configuration management | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Perform a privacy impact assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Perform a risk assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Perform audit for configuration change control | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Perform vulnerability scans | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.3 | Technical review of applications after operating platform changes | Remediate information system flaws | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Address coding vulnerabilities | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Automate approval request for proposed changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Automate implementation of approved change notifications | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Automate process to document implemented changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Automate process to highlight unreviewed change proposals | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Automate proposed documented changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Conduct a security impact analysis | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Develop and document application security requirements | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Develop and maintain a vulnerability management standard | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Document the information system environment in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Enforce security configuration settings | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Establish a risk management strategy | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Establish a secure software development program | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Establish and document change control processes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Establish configuration management requirements for developers | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Perform a privacy impact assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Perform a risk assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Perform audit for configuration change control | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Perform vulnerability scans | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Remediate information system flaws | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Require developers to document approved changes and potential impact | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Require developers to implement only approved changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.4 | Restrictions on changes to software packages | Require developers to manage change integrity | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.5 | Secure system engineering principles | Perform information input validation | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.5 | Secure system engineering principles | Require developers to build security architecture | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.5 | Secure system engineering principles | Require developers to describe accurate security functionality | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.5 | Secure system engineering principles | Require developers to provide unified security protection approach | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.5 | Secure system engineering principles | Review development process, standards and tools | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Conduct a security impact analysis | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Define information security roles and responsibilities | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Establish and document change control processes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Establish configuration management requirements for developers | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Identify individuals with security roles and responsibilities | 1.1.1 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Integrate risk management process into SDLC | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Perform a privacy impact assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Perform audit for configuration change control | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Perform vulnerability scans | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.6 | Secure development environment | Remediate information system flaws | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Address coding vulnerabilities | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Assess risk in third party relationships | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Conduct a security impact analysis | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Define requirements for supplying goods and services | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Determine supplier contract obligations | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Develop and document application security requirements | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document acquisition contract acceptance criteria | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document protection of personal data in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document protection of security information in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document requirements for the use of shared data in contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document security assurance requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document security documentation requirements in acquisition contract | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document security functional requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document security strength requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document the information system environment in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Document the protection of cardholder data in third party contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Establish a secure software development program | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Establish and document change control processes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Establish configuration management requirements for developers | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Establish policies for supply chain risk management | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Perform a privacy impact assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Perform audit for configuration change control | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Perform vulnerability scans | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Remediate information system flaws | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Require developers to document approved changes and potential impact | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Require developers to implement only approved changes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Require developers to manage change integrity | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.7 | Outsourced development | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.8 | System security testing | Assess Security Controls | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.8 | System security testing | Deliver security assessment results | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.8 | System security testing | Develop security assessment plan | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.8 | System security testing | Ensure there are no unencrypted static authenticators | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.8 | System security testing | Perform vulnerability scans | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.8 | System security testing | Produce Security Assessment report | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.8 | System security testing | Remediate information system flaws | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.8 | System security testing | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Assign an authorizing official (AO) | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Determine supplier contract obligations | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document acquisition contract acceptance criteria | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document protection of personal data in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document protection of security information in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document requirements for the use of shared data in contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document security assurance requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document security documentation requirements in acquisition contract | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document security functional requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document security strength requirements in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document the information system environment in acquisition contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Document the protection of cardholder data in third party contracts | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Ensure resources are authorized | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.2.9 | System acceptance testing | Ensure there are no unencrypted static authenticators | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Adhere to retention periods defined | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Conduct a security impact analysis | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Ensure there are no unencrypted static authenticators | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Establish and document change control processes | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Establish configuration management requirements for developers | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Perform a privacy impact assessment | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Perform audit for configuration change control | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Perform disposition review | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Perform vulnerability scans | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Remediate information system flaws | 1.1.0 |
| System Acquisition, Development And Maintenance | 14.3.1 | Protection of test data | Verify personal data is deleted at the end of processing | 1.1.0 |
| Supplier Relationships | 15.1.1 | Information security policy for supplier relationships | Assess risk in third party relationships | 1.1.0 |
| Supplier Relationships | 15.1.1 | Information security policy for supplier relationships | Define requirements for supplying goods and services | 1.1.0 |
| Supplier Relationships | 15.1.1 | Information security policy for supplier relationships | Determine supplier contract obligations | 1.1.0 |
| Supplier Relationships | 15.1.1 | Information security policy for supplier relationships | Establish policies for supply chain risk management | 1.1.0 |
| Supplier Relationships | 15.1.1 | Information security policy for supplier relationships | Review and update personnel security policies and procedures | 1.1.0 |
| Supplier Relationships | 15.1.1 | Information security policy for supplier relationships | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Assess risk in third party relationships | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Define requirements for supplying goods and services | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Determine supplier contract obligations | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Develop acceptable use policies and procedures | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Develop organization code of conduct policy | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document acquisition contract acceptance criteria | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document personnel acceptance of privacy requirements | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document protection of personal data in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document protection of security information in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document requirements for the use of shared data in contracts | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document security documentation requirements in acquisition contract | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document security functional requirements in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document security strength requirements in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document the information system environment in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Enforce rules of behavior and access agreements | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Establish policies for supply chain risk management | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Identify external service providers | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Prohibit unfair practices | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Review and sign revised rules of behavior | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Update rules of behavior and access agreements | 1.1.0 |
| Supplier Relationships | 15.1.2 | Addressing security within supplier agreement | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| Supplier Relationships | 15.1.3 | Information and communication technology supply chain | Assess risk in third party relationships | 1.1.0 |
| Supplier Relationships | 15.1.3 | Information and communication technology supply chain | Define requirements for supplying goods and services | 1.1.0 |
| Supplier Relationships | 15.1.3 | Information and communication technology supply chain | Determine supplier contract obligations | 1.1.0 |
| Supplier Relationships | 15.1.3 | Information and communication technology supply chain | Establish policies for supply chain risk management | 1.1.0 |
| Supplier Relationships | 15.2.1 | Monitoring and review of supplier services | Define and document government oversight | 1.1.0 |
| Supplier Relationships | 15.2.1 | Monitoring and review of supplier services | Require external service providers to comply with security requirements | 1.1.0 |
| Supplier Relationships | 15.2.1 | Monitoring and review of supplier services | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Supplier Relationships | 15.2.1 | Monitoring and review of supplier services | Undergo independent security review | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Define and document government oversight | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Determine supplier contract obligations | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document acquisition contract acceptance criteria | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document protection of personal data in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document protection of security information in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document requirements for the use of shared data in contracts | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document security documentation requirements in acquisition contract | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document security functional requirements in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document security strength requirements in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document the information system environment in acquisition contracts | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Require external service providers to comply with security requirements | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Supplier Relationships | 15.2.2 | Managing changes to supplier services | Undergo independent security review | 1.1.0 |
| Information Security Incident Management | 16.1.1 | Responsibilities and procedures | Assess information security events | 1.1.0 |
| Information Security Incident Management | 16.1.1 | Responsibilities and procedures | Develop an incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.1 | Responsibilities and procedures | Implement incident handling | 1.1.0 |
| Information Security Incident Management | 16.1.1 | Responsibilities and procedures | Maintain data breach records | 1.1.0 |
| Information Security Incident Management | 16.1.1 | Responsibilities and procedures | Maintain incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.1 | Responsibilities and procedures | Protect incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.1 | Responsibilities and procedures | Review and update incident response policies and procedures | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Correlate audit records | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Document security operations | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Establish requirements for audit review and reporting | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Implement incident handling | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Integrate audit review, analysis, and reporting | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Integrate cloud app security with a siem | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Report atypical behavior of user accounts | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Review account provisioning logs | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Review administrator assignments weekly | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Review audit data | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Review cloud identity report overview | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Review controlled folder access events | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Review file and folder activity | 1.1.0 |
| Information Security Incident Management | 16.1.2 | Reporting information security events | Review role group changes weekly | 1.1.0 |
| Information Security Incident Management | 16.1.3 | Reporting information security weaknesses | Document security operations | 1.1.0 |
| Information Security Incident Management | 16.1.3 | Reporting information security weaknesses | Incorporate flaw remediation into configuration management | 1.1.0 |
| Information Security Incident Management | 16.1.3 | Reporting information security weaknesses | Remediate information system flaws | 1.1.0 |
| Information Security Incident Management | 16.1.3 | Reporting information security weaknesses | Report atypical behavior of user accounts | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Assess information security events | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Coordinate contingency plans with related plans | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Correlate audit records | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Develop an incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Develop security safeguards | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Enable network protection | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Eradicate contaminated information | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Establish requirements for audit review and reporting | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Execute actions in response to information spills | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Implement incident handling | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Integrate audit review, analysis, and reporting | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Integrate cloud app security with a siem | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Maintain incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Perform a trend analysis on threats | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Report atypical behavior of user accounts | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Review account provisioning logs | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Review administrator assignments weekly | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Review audit data | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Review cloud identity report overview | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Review controlled folder access events | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Review file and folder activity | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | Review role group changes weekly | 1.1.0 |
| Information Security Incident Management | 16.1.4 | Assessment of and decision on information security events | View and investigate restricted users | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Assess information security events | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Coordinate contingency plans with related plans | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Develop an incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Develop security safeguards | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Enable network protection | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Eradicate contaminated information | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Execute actions in response to information spills | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Implement incident handling | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Maintain incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Perform a trend analysis on threats | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | Report atypical behavior of user accounts | 1.1.0 |
| Information Security Incident Management | 16.1.5 | Response to information security incidents | View and investigate restricted users | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Assess information security events | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Coordinate contingency plans with related plans | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Develop an incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Develop security safeguards | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Discover any indicators of compromise | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Enable network protection | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Eradicate contaminated information | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Execute actions in response to information spills | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Implement incident handling | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Maintain incident response plan | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Perform a trend analysis on threats | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | Report atypical behavior of user accounts | 1.1.0 |
| Information Security Incident Management | 16.1.6 | Learning from information security incidents | View and investigate restricted users | 1.1.0 |
| Information Security Incident Management | 16.1.7 | Collection of evidence | Adhere to retention periods defined | 1.1.0 |
| Information Security Incident Management | 16.1.7 | Collection of evidence | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Information Security Incident Management | 16.1.7 | Collection of evidence | Determine auditable events | 1.1.0 |
| Information Security Incident Management | 16.1.7 | Collection of evidence | Implement incident handling | 1.1.0 |
| Information Security Incident Management | 16.1.7 | Collection of evidence | Report atypical behavior of user accounts | 1.1.0 |
| Information Security Incident Management | 16.1.7 | Collection of evidence | Retain security policies and procedures | 1.1.0 |
| Information Security Incident Management | 16.1.7 | Collection of evidence | Retain terminated user data | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Communicate contingency plan changes | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Coordinate contingency plans with related plans | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Develop contingency plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Develop contingency planning policies and procedures | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Distribute policies and procedures | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Plan for resumption of essential business functions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Resume all mission and business functions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Review and update contingency planning policies and procedures | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Review contingency plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.1 | Planning information security continuity | Update contingency plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Communicate contingency plan changes | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Conduct backup of information system documentation | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Coordinate contingency plans with related plans | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Create separate alternate and primary storage sites | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Develop contingency plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Ensure information system fails in known state | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Establish an alternate processing site | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Establish backup policies and procedures | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Establish requirements for internet service providers | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Implement controls to secure all media | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Implement transaction based recovery | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Plan for continuance of essential business functions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Plan for resumption of essential business functions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Recover and reconstitute resources after any disruption | 1.1.1 |
| Information Security Aspects Of Business Continuity Management | 17.1.2 | Implementing information security continuity | Resume all mission and business functions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.3 | Verify, review and evaluate information security continuity | Initiate contingency plan testing corrective actions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.3 | Verify, review and evaluate information security continuity | Review the results of contingency plan testing | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.1.3 | Verify, review and evaluate information security continuity | Test the business continuity and disaster recovery plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Communicate contingency plan changes | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Coordinate contingency plans with related plans | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Create separate alternate and primary storage sites | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Develop contingency plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Develop contingency planning policies and procedures | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Distribute policies and procedures | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Ensure information system fails in known state | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Establish an alternate processing site | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Plan for continuance of essential business functions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Plan for resumption of essential business functions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Resume all mission and business functions | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Review contingency plan | 1.1.0 |
| Information Security Aspects Of Business Continuity Management | 17.2.1 | Availability of information processing facilities | Update contingency plan | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Develop access control policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Develop and establish a system security plan | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Develop audit and accountability policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Develop information security policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Document security and privacy training activities | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Establish a privacy program | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Establish a risk management strategy | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Establish an information security program | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Govern policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Implement security engineering principles of information systems | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Protect the information security program plan | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review access control policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update configuration management policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update contingency planning policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update identification and authentication policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update incident response policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update information integrity policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update media protection policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update personnel security policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update physical and environmental policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update planning policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update risk assessment policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update system and communications protection policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review and update system maintenance policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Review security assessment and authorization policies and procedures | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Update information security policies | 1.1.0 |
| Compliance | 18.1.1 | Identification applicable legislation and contractual requirements | Update privacy plan, policies, and procedures | 1.1.0 |
| Compliance | 18.1.2 | Intellectual property rights | Require compliance with intellectual property rights | 1.1.0 |
| Compliance | 18.1.2 | Intellectual property rights | Track software license usage | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Authorize access to security functions and information | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Authorize and manage access | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Conduct backup of information system documentation | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Control physical access | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Enable dual or joint authorization | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Enforce logical access | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Ensure information system fails in known state | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Establish backup policies and procedures | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Implement controls to secure all media | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Implement transaction based recovery | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Manage the input, output, processing, and storage of data | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Protect audit information | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Require approval for account creation | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Review label activity and analytics | 1.1.0 |
| Compliance | 18.1.3 | Protection of records | Review user groups and applications with access to sensitive data | 1.1.0 |
| Compliance | 18.1.4 | Privacy and protection of personally identifiable information | Control physical access | 1.1.0 |
| Compliance | 18.1.4 | Privacy and protection of personally identifiable information | Establish a privacy program | 1.1.0 |
| Compliance | 18.1.4 | Privacy and protection of personally identifiable information | Establish an information security program | 1.1.0 |
| Compliance | 18.1.4 | Privacy and protection of personally identifiable information | Manage compliance activities | 1.1.0 |
| Compliance | 18.1.4 | Privacy and protection of personally identifiable information | Manage the input, output, processing, and storage of data | 1.1.0 |
| Compliance | 18.1.4 | Privacy and protection of personally identifiable information | Review label activity and analytics | 1.1.0 |
| Compliance | 18.1.5 | Regulation of cryptographic controls | Authenticate to cryptographic module | 1.1.0 |
| Compliance | 18.1.5 | Regulation of cryptographic controls | Define cryptographic use | 1.1.0 |
| Compliance | 18.2.1 | Independent review of information security | Employ independent team for penetration testing | 1.1.0 |
| Compliance | 18.2.1 | Independent review of information security | Establish a risk management strategy | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Assess Security Controls | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Configure detection whitelist | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Deliver security assessment results | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Develop access control policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Develop and establish a system security plan | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Develop audit and accountability policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Develop information security policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Develop security assessment plan | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Document security and privacy training activities | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Establish a privacy program | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Establish an information security program | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Govern policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Implement security engineering principles of information systems | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Produce Security Assessment report | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Protect the information security program plan | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review access control policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update configuration management policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update contingency planning policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update identification and authentication policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update incident response policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update information integrity policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update media protection policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update personnel security policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update physical and environmental policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update planning policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update risk assessment policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update system and communications protection policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review and update system maintenance policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Review security assessment and authorization policies and procedures | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Turn on sensors for endpoint security solution | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Undergo independent security review | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Update information security policies | 1.1.0 |
| Compliance | 18.2.2 | Compliance with security policies and standards | Update privacy plan, policies, and procedures | 1.1.0 |
| Compliance | 18.2.3 | Technical compliance review | Assess Security Controls | 1.1.0 |
| Compliance | 18.2.3 | Technical compliance review | Deliver security assessment results | 1.1.0 |
| Compliance | 18.2.3 | Technical compliance review | Develop security assessment plan | 1.1.0 |
| Compliance | 18.2.3 | Technical compliance review | Employ independent team for penetration testing | 1.1.0 |
| Compliance | 18.2.3 | Technical compliance review | Produce Security Assessment report | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Determine supplier contract obligations | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Develop access control policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Develop and establish a system security plan | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Develop audit and accountability policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Develop information security policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document acquisition contract acceptance criteria | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document protection of personal data in acquisition contracts | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document protection of security information in acquisition contracts | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document requirements for the use of shared data in contracts | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document security and privacy training activities | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document security documentation requirements in acquisition contract | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document security functional requirements in acquisition contracts | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document security strength requirements in acquisition contracts | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document the information system environment in acquisition contracts | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Establish a privacy program | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Establish an information security program | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Establish privacy requirements for contractors and service providers | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Govern policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Implement security engineering principles of information systems | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Manage compliance activities | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Protect the information security program plan | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review access control policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update configuration management policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update contingency planning policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update identification and authentication policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update incident response policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update information integrity policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update media protection policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update personnel security policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update physical and environmental policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update planning policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update risk assessment policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update system and communications protection policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review and update system maintenance policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Review security assessment and authorization policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Update information security policies | 1.1.0 |
| Information Security Policies | 5.1.1 | Policies for information security | Update privacy plan, policies, and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Develop access control policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Develop and establish a system security plan | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Develop audit and accountability policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Develop information security policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Document security and privacy training activities | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Establish a privacy program | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Establish an information security program | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Govern policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Implement security engineering principles of information systems | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Protect the information security program plan | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review access control policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update configuration management policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update contingency planning policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update identification and authentication policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update incident response policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update information integrity policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update media protection policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update personnel security policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update physical and environmental policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update planning policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update risk assessment policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update system and communications protection policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review and update system maintenance policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Review security assessment and authorization policies and procedures | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Update information security policies | 1.1.0 |
| Information Security Policies | 5.1.2 | Review of the policies for information security | Update privacy plan, policies, and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Appoint a senior information security officer | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Communicate contingency plan changes | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Coordinate contingency plans with related plans | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Create configuration plan protection | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Define and document government oversight | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Define information security roles and responsibilities | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Designate individuals to fulfill specific roles and responsibilities | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Determine supplier contract obligations | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop access control policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop and establish a system security plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop and maintain baseline configurations | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop audit and accountability policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop configuration item identification plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop configuration management plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop contingency plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop contingency planning policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Develop information security policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Distribute policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document acquisition contract acceptance criteria | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document and implement privacy complaint procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document protection of personal data in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document protection of security information in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document requirements for the use of shared data in contracts | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document security and privacy training activities | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document security documentation requirements in acquisition contract | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document security functional requirements in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document security strength requirements in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document the information system environment in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Document third-party personnel security requirements | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Ensure privacy program information is publicly available | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Establish a privacy program | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Establish an information security program | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Establish and document a configuration management plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Establish third-party personnel security requirements | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Govern policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Identify individuals with security roles and responsibilities | 1.1.1 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Implement an automated configuration management tool | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Implement security engineering principles of information systems | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Integrate risk management process into SDLC | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Manage security state of information systems | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Monitor third-party provider compliance | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Plan for resumption of essential business functions | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Protect the information security program plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Require external service providers to comply with security requirements | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Require notification of third-party personnel transfer or termination | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Resume all mission and business functions | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review access control policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update configuration management policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update contingency planning policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update identification and authentication policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update incident response policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update information integrity policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update media protection policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update personnel security policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update physical and environmental policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update planning policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update risk assessment policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update system and communications protection policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review and update system maintenance policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review contingency plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Review security assessment and authorization policies and procedures | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Undergo independent security review | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Update contingency plan | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Update information security policies | 1.1.0 |
| Organization of Information Security | 6.1.1 | Information security roles and responsibilities | Update privacy plan, policies, and procedures | 1.1.0 |
| Organization of Information Security | 6.1.2 | Segregation of Duties | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Organization of Information Security | 6.1.2 | Segregation of Duties | Define access authorizations to support separation of duties | 1.1.0 |
| Organization of Information Security | 6.1.2 | Segregation of Duties | Document separation of duties | 1.1.0 |
| Organization of Information Security | 6.1.2 | Segregation of Duties | Separate duties of individuals | 1.1.0 |
| Organization of Information Security | 6.1.2 | Segregation of Duties | There should be more than one owner assigned to your subscription | 3.0.0 |
| Organization of Information Security | 6.1.3 | Contact with authorities | Establish a privacy program | 1.1.0 |
| Organization of Information Security | 6.1.3 | Contact with authorities | Manage contacts for authorities and special interest groups | 1.1.0 |
| Organization of Information Security | 6.1.4 | Contact with special interest groups | Disseminate security alerts to personnel | 1.1.0 |
| Organization of Information Security | 6.1.4 | Contact with special interest groups | Establish a privacy program | 1.1.0 |
| Organization of Information Security | 6.1.4 | Contact with special interest groups | Establish a threat intelligence program | 1.1.0 |
| Organization of Information Security | 6.1.4 | Contact with special interest groups | Generate internal security alerts | 1.1.0 |
| Organization of Information Security | 6.1.4 | Contact with special interest groups | Implement security directives | 1.1.0 |
| Organization of Information Security | 6.1.4 | Contact with special interest groups | Manage contacts for authorities and special interest groups | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Align business objectives and IT goals | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Allocate resources in determining information system requirements | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Define and document government oversight | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Define information security roles and responsibilities | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Determine supplier contract obligations | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document acquisition contract acceptance criteria | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document protection of personal data in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document protection of security information in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document requirements for the use of shared data in contracts | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document security documentation requirements in acquisition contract | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document security functional requirements in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document security strength requirements in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document the information system environment in acquisition contracts | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Establish a discrete line item in budgeting documentation | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Establish a privacy program | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Govern the allocation of resources | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Identify individuals with security roles and responsibilities | 1.1.1 |
| Organization of Information Security | 6.1.5 | Information security in project management | Integrate risk management process into SDLC | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Require external service providers to comply with security requirements | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Review development process, standards and tools | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Secure commitment from leadership | 1.1.0 |
| Organization of Information Security | 6.1.5 | Information security in project management | Undergo independent security review | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Adopt biometric authentication mechanisms | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Authorize remote access | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Define mobile device requirements | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Document and implement wireless access guidelines | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Document mobility training | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Document remote access guidelines | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Identify and authenticate network devices | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Implement controls to secure alternate work sites | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Monitor access across the organization | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Notify users of system logon or access | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Protect data in transit using encryption | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Protect wireless access | 1.1.0 |
| Organization of Information Security | 6.2.1 | Mobile device policy | Provide privacy training | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Adopt biometric authentication mechanisms | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Authorize access to security functions and information | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Authorize and manage access | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Authorize remote access | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Document mobility training | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Document remote access guidelines | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Enforce logical access | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Identify and authenticate network devices | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Implement controls to secure alternate work sites | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Monitor access across the organization | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Notify users of system logon or access | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Protect data in transit using encryption | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Provide privacy training | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Require approval for account creation | 1.1.0 |
| Organization of Information Security | 6.2.2 | Teleworking | Review user groups and applications with access to sensitive data | 1.1.0 |
| Human Resources Security | 7.1.1 | Screening | Clear personnel with access to classified information | 1.1.0 |
| Human Resources Security | 7.1.1 | Screening | Implement personnel screening | 1.1.0 |
| Human Resources Security | 7.1.1 | Screening | Rescreen individuals at a defined frequency | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Determine supplier contract obligations | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Develop acceptable use policies and procedures | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Develop security safeguards | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document acquisition contract acceptance criteria | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document organizational access agreements | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document personnel acceptance of privacy requirements | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document protection of personal data in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document protection of security information in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document requirements for the use of shared data in contracts | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document security documentation requirements in acquisition contract | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document security functional requirements in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document security strength requirements in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document the information system environment in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Enforce rules of behavior and access agreements | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Ensure access agreements are signed or resigned timely | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Ensure privacy program information is publicly available | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Establish a privacy program | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Implement privacy notice delivery methods | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Provide privacy notice | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Require users to sign access agreement | 1.1.0 |
| Human Resources Security | 7.1.2 | Terms and conditions of employment | Update organizational access agreements | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Define and document government oversight | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Determine supplier contract obligations | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Develop acceptable use policies and procedures | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document acquisition contract acceptance criteria | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document organizational access agreements | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document protection of personal data in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document protection of security information in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document requirements for the use of shared data in contracts | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document security documentation requirements in acquisition contract | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document security functional requirements in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document security strength requirements in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document the information system environment in acquisition contracts | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Document third-party personnel security requirements | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Enforce rules of behavior and access agreements | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Ensure access agreements are signed or resigned timely | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Establish third-party personnel security requirements | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Monitor third-party provider compliance | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Require external service providers to comply with security requirements | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Require notification of third-party personnel transfer or termination | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Require users to sign access agreement | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Undergo independent security review | 1.1.0 |
| Human Resources Security | 7.2.1 | Management responsibilities | Update organizational access agreements | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Document security and privacy training activities | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Employ automated training environment | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Establish information security workforce development and improvement program | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Monitor security and privacy training completion | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide contingency training | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide information spillage training | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide periodic role-based security training | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide periodic security awareness training | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide privacy training | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide role-based security training | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide security training before providing access | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide security training for new users | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Provide updated security awareness training | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Retain training records | 1.1.0 |
| Human Resources Security | 7.2.2 | Information security awareness, education and training | Train personnel on disclosure of nonpublic information | 1.1.0 |
| Human Resources Security | 7.2.3 | Disciplinary process | Implement formal sanctions process | 1.1.0 |
| Human Resources Security | 7.2.3 | Disciplinary process | Notify personnel upon sanctions | 1.1.0 |
| Human Resources Security | 7.3.1 | Termination or change of employment responsibilities | Conduct exit interview upon termination | 1.1.0 |
| Human Resources Security | 7.3.1 | Termination or change of employment responsibilities | Disable authenticators upon termination | 1.1.0 |
| Human Resources Security | 7.3.1 | Termination or change of employment responsibilities | Initiate transfer or reassignment actions | 1.1.0 |
| Human Resources Security | 7.3.1 | Termination or change of employment responsibilities | Modify access authorizations upon personnel transfer | 1.1.0 |
| Human Resources Security | 7.3.1 | Termination or change of employment responsibilities | Notify upon termination or transfer | 1.1.0 |
| Human Resources Security | 7.3.1 | Termination or change of employment responsibilities | Protect against and prevent data theft from departing employees | 1.1.0 |
| Human Resources Security | 7.3.1 | Termination or change of employment responsibilities | Reevaluate access upon personnel transfer | 1.1.0 |
| Human Resources Security | 7.3.1 | Termination or change of employment responsibilities | Retain terminated user data | 1.1.0 |
| Asset Management | 8.1.1 | Inventory of assets | Create a data inventory | 1.1.0 |
| Asset Management | 8.1.1 | Inventory of assets | Maintain records of processing of personal data | 1.1.0 |
| Asset Management | 8.1.2 | Ownership of assets | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Asset Management | 8.1.2 | Ownership of assets | Control use of portable storage devices | 1.1.0 |
| Asset Management | 8.1.2 | Ownership of assets | Create a data inventory | 1.1.0 |
| Asset Management | 8.1.2 | Ownership of assets | Establish and maintain an asset inventory | 1.1.0 |
| Asset Management | 8.1.2 | Ownership of assets | Implement controls to secure all media | 1.1.0 |
| Asset Management | 8.1.2 | Ownership of assets | Maintain records of processing of personal data | 1.1.0 |
| Asset Management | 8.1.2 | Ownership of assets | Restrict media use | 1.1.0 |
| Asset Management | 8.1.3 | Acceptable use of assets | Develop acceptable use policies and procedures | 1.1.0 |
| Asset Management | 8.1.3 | Acceptable use of assets | Enforce rules of behavior and access agreements | 1.1.0 |
| Asset Management | 8.1.4 | Return of assets | Conduct exit interview upon termination | 1.1.0 |
| Asset Management | 8.1.4 | Return of assets | Disable authenticators upon termination | 1.1.0 |
| Asset Management | 8.1.4 | Return of assets | Initiate transfer or reassignment actions | 1.1.0 |
| Asset Management | 8.1.4 | Return of assets | Modify access authorizations upon personnel transfer | 1.1.0 |
| Asset Management | 8.1.4 | Return of assets | Notify upon termination or transfer | 1.1.0 |
| Asset Management | 8.1.4 | Return of assets | Protect against and prevent data theft from departing employees | 1.1.0 |
| Asset Management | 8.1.4 | Return of assets | Reevaluate access upon personnel transfer | 1.1.0 |
| Asset Management | 8.1.4 | Return of assets | Retain terminated user data | 1.1.0 |
| Asset Management | 8.2.1 | Classification of information | Categorize information | 1.1.0 |
| Asset Management | 8.2.1 | Classification of information | Develop business classification schemes | 1.1.0 |
| Asset Management | 8.2.1 | Classification of information | Ensure security categorization is approved | 1.1.0 |
| Asset Management | 8.2.1 | Classification of information | Review label activity and analytics | 1.1.0 |
| Asset Management | 8.2.2 | Labelling of information | Control physical access | 1.1.0 |
| Asset Management | 8.2.2 | Labelling of information | Implement controls to secure all media | 1.1.0 |
| Asset Management | 8.2.2 | Labelling of information | Manage the input, output, processing, and storage of data | 1.1.0 |
| Asset Management | 8.2.2 | Labelling of information | Review label activity and analytics | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Configure workstations to check for digital certificates | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Control information flow | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Control physical access | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Control use of portable storage devices | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Define requirements for managing assets | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Employ a media sanitization mechanism | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Establish a data leakage management procedure | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Establish and document change control processes | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Establish configuration management requirements for developers | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Establish firewall and router configuration standards | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Establish network segmentation for card holder data environment | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Identify and manage downstream information exchanges | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Implement a fault tolerant name/address service | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Implement controls to secure all media | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Manage the input, output, processing, and storage of data | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Manage the transportation of assets | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Perform audit for configuration change control | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Protect data in transit using encryption | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Protect passwords with encryption | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Protect special information | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Provide secure name and address resolution services | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Restrict media use | 1.1.0 |
| Asset Management | 8.2.3 | Handling of assets | Review label activity and analytics | 1.1.0 |
| Asset Management | 8.3.1 | Management of removable media | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Asset Management | 8.3.1 | Management of removable media | Control use of portable storage devices | 1.1.0 |
| Asset Management | 8.3.1 | Management of removable media | Employ a media sanitization mechanism | 1.1.0 |
| Asset Management | 8.3.1 | Management of removable media | Implement controls to secure all media | 1.1.0 |
| Asset Management | 8.3.1 | Management of removable media | Manage the transportation of assets | 1.1.0 |
| Asset Management | 8.3.1 | Management of removable media | Restrict media use | 1.1.0 |
| Asset Management | 8.3.2 | Disposal of media | Employ a media sanitization mechanism | 1.1.0 |
| Asset Management | 8.3.2 | Disposal of media | Implement controls to secure all media | 1.1.0 |
| Asset Management | 8.3.3 | Physical media transfer | Implement controls to secure all media | 1.1.0 |
| Asset Management | 8.3.3 | Physical media transfer | Manage the transportation of assets | 1.1.0 |
| Access Control | 9.1.1 | Access control policy | Develop access control policies and procedures | 1.1.0 |
| Access Control | 9.1.1 | Access control policy | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 9.1.1 | Access control policy | Govern policies and procedures | 1.1.0 |
| Access Control | 9.1.1 | Access control policy | Review access control policies and procedures | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Adopt biometric authentication mechanisms | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Authorize access to security functions and information | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Authorize and manage access | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Automate account management | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Design an access control model | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Employ least privilege access | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Enable detection of network devices | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Enforce logical access | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Enforce user uniqueness | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Establish electronic signature and certificate requirements | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Identify actions allowed without authentication | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Identify and authenticate non-organizational users | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Manage system and admin accounts | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Monitor access across the organization | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Notify when account is not needed | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Require approval for account creation | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Review user groups and applications with access to sensitive data | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Route traffic through managed network access points | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Access Control | 9.1.2 | Access to networks and network services | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Assign account managers | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Assign system identifiers | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Audit user account status | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Define information system account types | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Document access privileges | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Enable detection of network devices | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Enforce user uniqueness | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Establish authenticator types and processes | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Establish conditions for role membership | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Establish procedures for initial authenticator distribution | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Identify actions allowed without authentication | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Identify and authenticate non-organizational users | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Implement training for protecting authenticators | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Manage authenticator lifetime and reuse | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Manage Authenticators | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Prevent identifier reuse for the defined time period | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Refresh authenticators | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Require approval for account creation | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Review account provisioning logs | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Review and reevaluate privileges | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Review user accounts | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Access Control | 9.2.1 | User registration and de-registration | Verify identity before distributing authenticators | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Assign account managers | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Audit user account status | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Authorize access to security functions and information | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Authorize and manage access | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Automate account management | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Define information system account types | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Document access privileges | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Establish conditions for role membership | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Limit privileges to make changes in production environment | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Manage system and admin accounts | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Monitor access across the organization | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Notify when account is not needed | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Require approval for account creation | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Review account provisioning logs | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Review and reevaluate privileges | 1.1.0 |
| Access Control | 9.2.2 | User access provisioning | Review user accounts | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Assign account managers | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Audit privileged functions | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Audit user account status | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Authorize access to security functions and information | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Authorize and manage access | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Automate account management | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Define information system account types | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Design an access control model | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Document access privileges | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Employ least privilege access | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Establish and document change control processes | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Establish conditions for role membership | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Limit privileges to make changes in production environment | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Manage system and admin accounts | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Monitor access across the organization | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Monitor privileged role assignment | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Notify when account is not needed | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Require approval for account creation | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Review account provisioning logs | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Review and reevaluate privileges | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Review user accounts | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | Use privileged identity management | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Disable authenticators upon termination | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Document security strength requirements in acquisition contracts | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Establish a password policy | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Establish authenticator types and processes | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Establish procedures for initial authenticator distribution | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Implement parameters for memorized secret verifiers | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Implement training for protecting authenticators | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Manage authenticator lifetime and reuse | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Manage Authenticators | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Protect passwords with encryption | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Refresh authenticators | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | 9.2.4 | Management of secret authentication information of users | Verify identity before distributing authenticators | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Assign account managers | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Audit user account status | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 9.2.5 | Review of user access rights | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 9.2.5 | Review of user access rights | Define information system account types | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Document access privileges | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Establish conditions for role membership | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 9.2.5 | Review of user access rights | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 9.2.5 | Review of user access rights | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Reassign or remove user privileges as needed | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Require approval for account creation | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Review account provisioning logs | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Review and reevaluate privileges | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Review user accounts | 1.1.0 |
| Access Control | 9.2.5 | Review of user access rights | Review user privileges | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Assign account managers | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Audit user account status | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Define information system account types | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Document access privileges | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Establish conditions for role membership | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Initiate transfer or reassignment actions | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Modify access authorizations upon personnel transfer | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Notify upon termination or transfer | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Reevaluate access upon personnel transfer | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Require approval for account creation | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Review account provisioning logs | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Review and reevaluate privileges | 1.1.0 |
| Access Control | 9.2.6 | Removal or adjustment of access rights | Review user accounts | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Disable authenticators upon termination | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Document security strength requirements in acquisition contracts | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Establish a password policy | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Establish authenticator types and processes | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Establish procedures for initial authenticator distribution | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Implement parameters for memorized secret verifiers | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Implement training for protecting authenticators | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Manage authenticator lifetime and reuse | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Manage Authenticators | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Protect passwords with encryption | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Refresh authenticators | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Terminate customer controlled account credentials | 1.1.0 |
| Access Control | 9.3.1 | Use of secret authentication information | Verify identity before distributing authenticators | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Authorize access to security functions and information | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Authorize and manage access | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Automate account management | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Enforce logical access | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Limit privileges to make changes in production environment | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Manage system and admin accounts | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Monitor access across the organization | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Notify when account is not needed | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Require approval for account creation | 1.1.0 |
| Access Control | 9.4.1 | Information access restriction | Review user groups and applications with access to sensitive data | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Adopt biometric authentication mechanisms | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Enable detection of network devices | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Enforce a limit of consecutive failed login attempts | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Enforce user uniqueness | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Establish electronic signature and certificate requirements | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Generate error messages | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Identify actions allowed without authentication | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Identify and authenticate non-organizational users | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Obscure feedback information during authentication process | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Reveal error messages | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Route traffic through managed network access points | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Access Control | 9.4.2 | Secure log-on procedures | Terminate user session automatically | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Disable authenticators upon termination | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Document security strength requirements in acquisition contracts | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Establish a password policy | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Establish authenticator types and processes | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Establish procedures for initial authenticator distribution | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Implement parameters for memorized secret verifiers | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Implement training for protecting authenticators | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Manage authenticator lifetime and reuse | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Manage Authenticators | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Protect passwords with encryption | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Refresh authenticators | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | 9.4.3 | Password management system | Verify identity before distributing authenticators | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Authorize access to security functions and information | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Authorize and manage access | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Design an access control model | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Employ least privilege access | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Enforce logical access | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Require approval for account creation | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 9.4.4 | Use of privileged utility programs | Review user groups and applications with access to sensitive data | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Authorize access to security functions and information | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Authorize and manage access | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Design an access control model | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Employ least privilege access | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Enforce logical access | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Establish and document change control processes | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Limit privileges to make changes in production environment | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Require approval for account creation | 1.1.0 |
| Access Control | 9.4.5 | Access control to program source code | Review user groups and applications with access to sensitive data | 1.1.0 |
| Improvement | ISO 27001:2013 C.10.1.d | Nonconformity and corrective action | Update POA&M items | 1.1.0 |
| Improvement | ISO 27001:2013 C.10.1.e | Nonconformity and corrective action | Update POA&M items | 1.1.0 |
| Improvement | ISO 27001:2013 C.10.1.f | Nonconformity and corrective action | Establish configuration management requirements for developers | 1.1.0 |
| Improvement | ISO 27001:2013 C.10.1.f | Nonconformity and corrective action | Perform audit for configuration change control | 1.1.0 |
| Improvement | ISO 27001:2013 C.10.1.f | Nonconformity and corrective action | Update POA&M items | 1.1.0 |
| Improvement | ISO 27001:2013 C.10.1.g | Nonconformity and corrective action | Establish configuration management requirements for developers | 1.1.0 |
| Improvement | ISO 27001:2013 C.10.1.g | Nonconformity and corrective action | Perform audit for configuration change control | 1.1.0 |
| Improvement | ISO 27001:2013 C.10.1.g | Nonconformity and corrective action | Update POA&M items | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.a | Determining the scope of the information security management system | Develop SSP that meets criteria | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.a | Determining the scope of the information security management system | Establish an information security program | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.a | Determining the scope of the information security management system | Update information security policies | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.b | Determining the scope of the information security management system | Develop SSP that meets criteria | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.b | Determining the scope of the information security management system | Establish an information security program | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.b | Determining the scope of the information security management system | Update information security policies | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Align business objectives and IT goals | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Determine supplier contract obligations | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Develop SSP that meets criteria | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document acquisition contract acceptance criteria | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document protection of personal data in acquisition contracts | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document protection of security information in acquisition contracts | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document requirements for the use of shared data in contracts | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document security documentation requirements in acquisition contract | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document security functional requirements in acquisition contracts | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document security strength requirements in acquisition contracts | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document the information system environment in acquisition contracts | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Employ business case to record the resources required | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Ensure capital planning and investment requests include necessary resources | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Establish privacy requirements for contractors and service providers | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Govern the allocation of resources | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.3.c | Determining the scope of the information security management system | Secure commitment from leadership | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.4 | Information security management system | Develop access control policies and procedures | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.4 | Information security management system | Document security and privacy training activities | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.4 | Information security management system | Establish a privacy program | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.4 | Information security management system | Govern policies and procedures | 1.1.0 |
| Context of the organization | ISO 27001:2013 C.4.4 | Information security management system | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.a | Leadership and commitment | Appoint a senior information security officer | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.a | Leadership and commitment | Develop access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.a | Leadership and commitment | Document security and privacy training activities | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.a | Leadership and commitment | Establish a privacy program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.a | Leadership and commitment | Govern policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.a | Leadership and commitment | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Appoint a senior information security officer | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Develop access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Develop audit and accountability policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Develop information security policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Document security and privacy training activities | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Establish a privacy program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Establish an information security program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Establish and document change control processes | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Establish configuration management requirements for developers | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Govern policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Perform audit for configuration change control | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update configuration management policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update contingency planning policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update identification and authentication policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update incident response policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update information integrity policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update media protection policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update personnel security policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update physical and environmental policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update planning policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update risk assessment policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update system and communications protection policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review and update system maintenance policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Review security assessment and authorization policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Update information security policies | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.b | Leadership and commitment | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Align business objectives and IT goals | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Allocate resources in determining information system requirements | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Appoint a senior information security officer | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Employ business case to record the resources required | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Ensure capital planning and investment requests include necessary resources | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Ensure privacy program information is publicly available | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Establish a discrete line item in budgeting documentation | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Establish a privacy program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Govern the allocation of resources | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.c | Leadership and commitment | Secure commitment from leadership | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.d | Leadership and commitment | Appoint a senior information security officer | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.e | Leadership and commitment | Appoint a senior information security officer | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.e | Leadership and commitment | Define performance metrics | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.e | Leadership and commitment | Establish an information security program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Align business objectives and IT goals | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Allocate resources in determining information system requirements | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Appoint a senior information security officer | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Employ business case to record the resources required | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Ensure capital planning and investment requests include necessary resources | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Establish a discrete line item in budgeting documentation | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Establish a privacy program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Govern the allocation of resources | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.f | Leadership and commitment | Secure commitment from leadership | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.g | Leadership and commitment | Appoint a senior information security officer | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.g | Leadership and commitment | Define performance metrics | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.g | Leadership and commitment | Establish an information security program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.1.h | Leadership and commitment | Appoint a senior information security officer | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.a | Policy | Develop access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.a | Policy | Document security and privacy training activities | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.a | Policy | Govern policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.a | Policy | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.b | Policy | Develop access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.b | Policy | Document security and privacy training activities | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.b | Policy | Govern policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.b | Policy | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Develop access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Develop audit and accountability policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Develop information security policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Document security and privacy training activities | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Establish an information security program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Govern policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update configuration management policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update contingency planning policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update identification and authentication policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update incident response policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update information integrity policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update media protection policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update personnel security policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update physical and environmental policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update planning policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update risk assessment policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update system and communications protection policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review and update system maintenance policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Review security assessment and authorization policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Update information security policies | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.c | Policy | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Develop access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Develop audit and accountability policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Develop information security policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Document security and privacy training activities | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Establish an information security program | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Govern policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update configuration management policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update contingency planning policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update identification and authentication policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update incident response policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update information integrity policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update media protection policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update personnel security policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update physical and environmental policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update planning policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update risk assessment policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update system and communications protection policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review and update system maintenance policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Review security assessment and authorization policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Update information security policies | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.d | Policy | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.e | Policy | Develop access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.e | Policy | Document security and privacy training activities | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.e | Policy | Govern policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.e | Policy | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.f | Policy | Develop access control policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.f | Policy | Document security and privacy training activities | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.f | Policy | Govern policies and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.f | Policy | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.2.g | Policy | Update privacy plan, policies, and procedures | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.3.b | Organizational roles, responsibilities and authorities | Define performance metrics | 1.1.0 |
| Leadership | ISO 27001:2013 C.5.3.b | Organizational roles, responsibilities and authorities | Establish an information security program | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.a | General | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.a | General | Establish a risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.a | General | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.b | General | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.b | General | Establish a risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.b | General | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.c | General | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.c | General | Establish a risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.c | General | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.d | General | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.d | General | Establish a risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.d | General | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.e.1 | General | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.e.1 | General | Establish a risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.e.1 | General | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.e.2 | General | Establish a risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.e.2 | General | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.1.e.2 | General | Update POA&M items | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.a.1 | Information security risk assessment | Establish a risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.a.1 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.a.2 | Information security risk assessment | Establish a risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.a.2 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.b | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.c.1 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.c.1 | Information security risk assessment | Perform a risk assessment | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.c.2 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.c.2 | Information security risk assessment | Perform a risk assessment | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.d.1 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.d.1 | Information security risk assessment | Perform a risk assessment | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.d.2 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.d.2 | Information security risk assessment | Perform a risk assessment | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.d.3 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.d.3 | Information security risk assessment | Perform a risk assessment | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.e.1 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.e.1 | Information security risk assessment | Perform a risk assessment | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.e.2 | Information security risk assessment | Implement the risk management strategy | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.2.e.2 | Information security risk assessment | Perform a risk assessment | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.3.a | Information security risk treatment | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.3.b | Information security risk treatment | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.3.c | Information security risk treatment | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.3.d | Information security risk treatment | Develop SSP that meets criteria | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.3.e | Information security risk treatment | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.1.3.f | Information security risk treatment | Develop POA&M | 1.1.0 |
| Planning | ISO 27001:2013 C.6.2.e | Information security objectives and planning to achieve them | Establish an information security program | 1.1.0 |
| Planning | ISO 27001:2013 C.6.2.e | Information security objectives and planning to achieve them | Update information security policies | 1.1.0 |
| Support | ISO 27001:2013 C.7.1 | Resources | Align business objectives and IT goals | 1.1.0 |
| Support | ISO 27001:2013 C.7.1 | Resources | Allocate resources in determining information system requirements | 1.1.0 |
| Support | ISO 27001:2013 C.7.1 | Resources | Employ business case to record the resources required | 1.1.0 |
| Support | ISO 27001:2013 C.7.1 | Resources | Ensure capital planning and investment requests include necessary resources | 1.1.0 |
| Support | ISO 27001:2013 C.7.1 | Resources | Establish a discrete line item in budgeting documentation | 1.1.0 |
| Support | ISO 27001:2013 C.7.1 | Resources | Govern the allocation of resources | 1.1.0 |
| Support | ISO 27001:2013 C.7.1 | Resources | Secure commitment from leadership | 1.1.0 |
| Support | ISO 27001:2013 C.7.2.a | Competence | Document personnel acceptance of privacy requirements | 1.1.0 |
| Support | ISO 27001:2013 C.7.2.a | Competence | Monitor security and privacy training completion | 1.1.0 |
| Support | ISO 27001:2013 C.7.2.a | Competence | Provide privacy training | 1.1.0 |
| Support | ISO 27001:2013 C.7.2.b | Competence | Monitor security and privacy training completion | 1.1.0 |
| Support | ISO 27001:2013 C.7.2.c | Competence | Monitor security and privacy training completion | 1.1.0 |
| Support | ISO 27001:2013 C.7.2.d | Competence | Retain training records | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.a | Awareness | Develop acceptable use policies and procedures | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.a | Awareness | Enforce rules of behavior and access agreements | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.a | Awareness | Provide privacy training | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.b | Awareness | Develop acceptable use policies and procedures | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.b | Awareness | Enforce rules of behavior and access agreements | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.b | Awareness | Provide privacy training | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.c | Awareness | Develop acceptable use policies and procedures | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.c | Awareness | Enforce rules of behavior and access agreements | 1.1.0 |
| Support | ISO 27001:2013 C.7.3.c | Awareness | Provide privacy training | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.a | Communication | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.a | Communication | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.a | Communication | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.a | Communication | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.b | Communication | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.b | Communication | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.b | Communication | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.b | Communication | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.c | Communication | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.c | Communication | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.c | Communication | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.c | Communication | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.d | Communication | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.d | Communication | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.d | Communication | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.d | Communication | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.e | Communication | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.e | Communication | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.e | Communication | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.4.e | Communication | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.2.c | Creating and updating | Develop SSP that meets criteria | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.a | Control of documented information | Review and update planning policies and procedures | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.b | Control of documented information | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.b | Control of documented information | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.b | Control of documented information | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.c | Control of documented information | Review and update planning policies and procedures | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.d | Control of documented information | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.d | Control of documented information | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.d | Control of documented information | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.e | Control of documented information | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.e | Control of documented information | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.e | Control of documented information | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.f | Control of documented information | Develop and establish a system security plan | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.f | Control of documented information | Establish and document change control processes | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.f | Control of documented information | Establish configuration management requirements for developers | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.f | Control of documented information | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.f | Control of documented information | Implement security engineering principles of information systems | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.f | Control of documented information | Perform audit for configuration change control | 1.1.0 |
| Support | ISO 27001:2013 C.7.5.3.f | Control of documented information | Review and update planning policies and procedures | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Automate approval request for proposed changes | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Automate implementation of approved change notifications | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Automate process to document implemented changes | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Automate process to highlight unreviewed change proposals | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Automate proposed documented changes | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Conduct a security impact analysis | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Develop and maintain a vulnerability management standard | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Develop POA&M | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Enforce security configuration settings | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Establish and document change control processes | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Establish configuration management requirements for developers | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Perform a privacy impact assessment | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Perform a risk assessment | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Perform audit for configuration change control | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Remediate information system flaws | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Require developers to document approved changes and potential impact | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Require developers to implement only approved changes | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Require developers to manage change integrity | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Require external service providers to comply with security requirements | 1.1.0 |
| Operation | ISO 27001:2013 C.8.1 | Operational planning and control | Update POA&M items | 1.1.0 |
| Operation | ISO 27001:2013 C.8.2 | Information security risk assessment | Conduct risk assessment and document its results | 1.1.0 |
| Operation | ISO 27001:2013 C.8.2 | Information security risk assessment | Perform a risk assessment | 1.1.0 |
| Operation | ISO 27001:2013 C.8.2 | Information security risk assessment | Review and update risk assessment policies and procedures | 1.1.0 |
| Operation | ISO 27001:2013 C.8.3 | Information security risk treatment | Develop POA&M | 1.1.0 |
| Operation | ISO 27001:2013 C.8.3 | Information security risk treatment | Implement system boundary protection | 1.1.0 |
| Operation | ISO 27001:2013 C.8.3 | Information security risk treatment | Secure the interface to external systems | 1.1.0 |
| Operation | ISO 27001:2013 C.8.3 | Information security risk treatment | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.a | Monitoring, measurement, analysis and evaluation | Configure detection whitelist | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.a | Monitoring, measurement, analysis and evaluation | Turn on sensors for endpoint security solution | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.a | Monitoring, measurement, analysis and evaluation | Undergo independent security review | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.b | Monitoring, measurement, analysis and evaluation | Configure detection whitelist | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.b | Monitoring, measurement, analysis and evaluation | Turn on sensors for endpoint security solution | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.b | Monitoring, measurement, analysis and evaluation | Undergo independent security review | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.c | Monitoring, measurement, analysis and evaluation | Configure detection whitelist | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.c | Monitoring, measurement, analysis and evaluation | Turn on sensors for endpoint security solution | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.c | Monitoring, measurement, analysis and evaluation | Undergo independent security review | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.d | Monitoring, measurement, analysis and evaluation | Configure detection whitelist | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.d | Monitoring, measurement, analysis and evaluation | Turn on sensors for endpoint security solution | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.d | Monitoring, measurement, analysis and evaluation | Undergo independent security review | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.e | Monitoring, measurement, analysis and evaluation | Configure detection whitelist | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.e | Monitoring, measurement, analysis and evaluation | Turn on sensors for endpoint security solution | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.e | Monitoring, measurement, analysis and evaluation | Undergo independent security review | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.f | Monitoring, measurement, analysis and evaluation | Configure detection whitelist | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.f | Monitoring, measurement, analysis and evaluation | Turn on sensors for endpoint security solution | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.1.f | Monitoring, measurement, analysis and evaluation | Undergo independent security review | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.a.1 | Internal audit | Develop security assessment plan | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.a.2 | Internal audit | Develop security assessment plan | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.b | Internal audit | Develop security assessment plan | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.c | Internal audit | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.c | Internal audit | Develop security assessment plan | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.d | Internal audit | Develop security assessment plan | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.e | Internal audit | Adjust level of audit review, analysis, and reporting | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.e | Internal audit | Develop audit and accountability policies and procedures | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.e | Internal audit | Develop information security policies and procedures | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.e | Internal audit | Employ independent assessors to conduct security control assessments | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.e | Internal audit | Update information security policies | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.f | Internal audit | Deliver security assessment results | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.g | Internal audit | Adhere to retention periods defined | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.g | Internal audit | Retain security policies and procedures | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.2.g | Internal audit | Retain terminated user data | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.a | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.a | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.a | Management review | Develop POA&M | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.a | Management review | Implement plans of action and milestones for security program process | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.a | Management review | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.b | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.b | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.b | Management review | Develop POA&M | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.b | Management review | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.1 | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.1 | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.1 | Management review | Define performance metrics | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.1 | Management review | Develop POA&M | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.1 | Management review | Establish an information security program | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.1 | Management review | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.2 | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.2 | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.2 | Management review | Develop POA&M | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.2 | Management review | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.3 | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.3 | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.3 | Management review | Define performance metrics | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.3 | Management review | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.4 | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.4 | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.4 | Management review | Define performance metrics | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.c.4 | Management review | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.d | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.d | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.d | Management review | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.e | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.e | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.e | Management review | Update POA&M items | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.f | Management review | Assess Security Controls | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.f | Management review | Conduct Risk Assessment | 1.1.0 |
| Performance Evaluation | ISO 27001:2013 C.9.3.f | Management review | Update POA&M items | 1.1.0 |
Microsoft Cloud for Sovereignty Baseline Confidential Policies
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for MCfS Sovereignty Baseline Confidential Policies. For more information about this compliance standard, see Microsoft Cloud for Sovereignty Policy portfolio.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| SO.1 - Data Residency | SO.1 | Azure products must be deployed to and configured to use approved regions. | Allowed locations for resource groups | 1.0.0 |
Microsoft Cloud for Sovereignty Baseline Global Policies
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for MCfS Sovereignty Baseline Global Policies. For more information about this compliance standard, see Microsoft Cloud for Sovereignty Policy portfolio.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| SO.1 - Data Residency | SO.1 | Azure products must be deployed to and configured to use approved regions. | Allowed locations for resource groups | 1.0.0 |
Microsoft cloud security benchmark
The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Identity Management | IM-6 | Use strong authentication controls | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identity Management | IM-6 | Use strong authentication controls | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identity Management | IM-6 | Use strong authentication controls | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Privileged Access | PA-1 | Separate and limit highly privileged/administrative users | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Privileged Access | PA-1 | Separate and limit highly privileged/administrative users | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Privileged Access | PA-1 | Separate and limit highly privileged/administrative users | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Privileged Access | PA-1 | Separate and limit highly privileged/administrative users | There should be more than one owner assigned to your subscription | 3.0.0 |
| Privileged Access | PA-4 | Review and reconcile user access regularly | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Privileged Access | PA-4 | Review and reconcile user access regularly | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Privileged Access | PA-4 | Review and reconcile user access regularly | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Privileged Access | PA-4 | Review and reconcile user access regularly | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Privileged Access | PA-4 | Review and reconcile user access regularly | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Data Protection | DP-1 | Discover, classify, and label sensitive data | Microsoft Defender for APIs should be enabled | 1.0.3 |
| Data Protection | DP-2 | Monitor anomalies and threats targeting sensitive data | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Data Protection | DP-2 | Monitor anomalies and threats targeting sensitive data | Azure Defender for open-source relational databases should be enabled | 1.0.0 |
| Data Protection | DP-2 | Monitor anomalies and threats targeting sensitive data | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Data Protection | DP-2 | Monitor anomalies and threats targeting sensitive data | Microsoft Defender for APIs should be enabled | 1.0.3 |
| Data Protection | DP-2 | Monitor anomalies and threats targeting sensitive data | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Data Protection | DP-8 | Ensure security of key and certificate repository | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for App Service should be enabled | 1.0.3 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for open-source relational databases should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for servers should be enabled | 1.0.3 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Microsoft Defender CSPM should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Microsoft Defender for APIs should be enabled | 1.0.3 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for App Service should be enabled | 1.0.3 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for open-source relational databases should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for servers should be enabled | 1.0.3 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Microsoft Defender CSPM should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Incident Response | IR-2 | Preparation - setup incident notification | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-2 | Preparation - setup incident notification | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-2 | Preparation - setup incident notification | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for open-source relational databases should be enabled | 1.0.0 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Microsoft Defender CSPM should be enabled | 1.0.0 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Microsoft Defender for APIs should be enabled | 1.0.3 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Endpoint Security | ES-1 | Use Endpoint Detection and Response (EDR) | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for open-source relational databases should be enabled | 1.0.0 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Microsoft Defender CSPM should be enabled | 1.0.0 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Microsoft Defender for APIs should be enabled | 1.0.3 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Microsoft Defender for Storage should be enabled | 1.0.0 |
NIST SP 800-171 R2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Define information system account types | 1.1.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.11 | Terminate (automatically) a user session after a defined condition. | Terminate user session automatically | 1.1.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Monitor access across the organization | 1.1.0 |
| Access Control | 3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Notify users of system logon or access | 1.1.0 |
| Access Control | 3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Protect data in transit using encryption | 1.1.0 |
| Access Control | 3.1.14 | Route remote access via managed access control points. | Route traffic through managed network access points | 1.1.0 |
| Access Control | 3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Authorize remote access | 1.1.0 |
| Access Control | 3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Authorize remote access to privileged commands | 1.1.0 |
| Access Control | 3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Document remote access guidelines | 1.1.0 |
| Access Control | 3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | 3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Provide privacy training | 1.1.0 |
| Access Control | 3.1.16 | Authorize wireless access prior to allowing such connections | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | 3.1.16 | Authorize wireless access prior to allowing such connections | Protect wireless access | 1.1.0 |
| Access Control | 3.1.17 | Protect wireless access using authentication and encryption | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | 3.1.17 | Protect wireless access using authentication and encryption | Identify and authenticate network devices | 1.1.0 |
| Access Control | 3.1.17 | Protect wireless access using authentication and encryption | Protect wireless access | 1.1.0 |
| Access Control | 3.1.18 | Control connection of mobile devices. | Define mobile device requirements | 1.1.0 |
| Access Control | 3.1.19 | Encrypt CUI on mobile devices and mobile computing platforms | Define mobile device requirements | 1.1.0 |
| Access Control | 3.1.19 | Encrypt CUI on mobile devices and mobile computing platforms | Protect data in transit using encryption | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Audit privileged functions | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Authorize access to security functions and information | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Authorize and manage access | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Authorize remote access | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Enforce appropriate usage of all accounts | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Enforce logical access | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Monitor privileged role assignment | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Require approval for account creation | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Review user groups and applications with access to sensitive data | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Use privileged identity management | 1.1.0 |
| Access Control | 3.1.20 | Verify and control/limit connections to and use of external systems. | Establish terms and conditions for accessing resources | 1.1.0 |
| Access Control | 3.1.20 | Verify and control/limit connections to and use of external systems. | Establish terms and conditions for processing resources | 1.1.0 |
| Access Control | 3.1.21 | Limit use of portable storage devices on external systems. | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Access Control | 3.1.21 | Limit use of portable storage devices on external systems. | Control use of portable storage devices | 1.1.0 |
| Access Control | 3.1.21 | Limit use of portable storage devices on external systems. | Implement controls to secure all media | 1.1.0 |
| Access Control | 3.1.22 | Control CUI posted or processed on publicly accessible systems. | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Access Control | 3.1.22 | Control CUI posted or processed on publicly accessible systems. | Review content prior to posting publicly accessible information | 1.1.0 |
| Access Control | 3.1.22 | Control CUI posted or processed on publicly accessible systems. | Review publicly accessible content for nonpublic information | 1.1.0 |
| Access Control | 3.1.22 | Control CUI posted or processed on publicly accessible systems. | Train personnel on disclosure of nonpublic information | 1.1.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Control information flow | 1.1.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Establish firewall and router configuration standards | 1.1.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Establish network segmentation for card holder data environment | 1.1.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Identify and manage downstream information exchanges | 1.1.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Information flow control using security policy filters | 1.1.0 |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Define access authorizations to support separation of duties | 1.1.0 |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Document separation of duties | 1.1.0 |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Separate duties of individuals | 1.1.0 |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | There should be more than one owner assigned to your subscription | 3.0.0 |
| Access Control | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Authorize access to security functions and information | 1.1.0 |
| Access Control | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Authorize and manage access | 1.1.0 |
| Access Control | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Design an access control model | 1.1.0 |
| Access Control | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Employ least privilege access | 1.1.0 |
| Access Control | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Audit privileged functions | 1.1.0 |
| Access Control | 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Access Control | 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Monitor privileged role assignment | 1.1.0 |
| Access Control | 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Restrict access to privileged accounts | 1.1.0 |
| Access Control | 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Use privileged identity management | 1.1.0 |
| Access Control | 3.1.8 | Limit unsuccessful logon attempts. | Enforce a limit of consecutive failed login attempts | 1.1.0 |
| Physical Protection | 3.10.1 | Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. | Control physical access | 1.1.0 |
| Physical Protection | 3.10.2 | Protect and monitor the physical facility and support infrastructure for organizational systems. | Install an alarm system | 1.1.0 |
| Physical Protection | 3.10.2 | Protect and monitor the physical facility and support infrastructure for organizational systems. | Manage a secure surveillance camera system | 1.1.0 |
| Physical Protection | 3.10.3 | Escort visitors and monitor visitor activity. | Control physical access | 1.1.0 |
| Physical Protection | 3.10.3 | Escort visitors and monitor visitor activity. | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical Protection | 3.10.4 | Maintain audit logs of physical access. | Control physical access | 1.1.0 |
| Physical Protection | 3.10.5 | Control and manage physical access devices. | Control physical access | 1.1.0 |
| Physical Protection | 3.10.5 | Control and manage physical access devices. | Define a physical key management process | 1.1.0 |
| Physical Protection | 3.10.5 | Control and manage physical access devices. | Establish and maintain an asset inventory | 1.1.0 |
| Physical Protection | 3.10.5 | Control and manage physical access devices. | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical Protection | 3.10.6 | Enforce safeguarding measures for CUI at alternate work sites. | Implement controls to secure alternate work sites | 1.1.0 |
| Risk Assessment | 3.11.1 | Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI | Assess risk in third party relationships | 1.1.0 |
| Risk Assessment | 3.11.1 | Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI | Perform a risk assessment | 1.1.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Implement privileged access for executing vulnerability scanning activities | 1.1.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Remediate information system flaws | 1.1.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Remediate information system flaws | 1.1.0 |
| Security Assessment | 3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Assess Security Controls | 1.1.0 |
| Security Assessment | 3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Deliver security assessment results | 1.1.0 |
| Security Assessment | 3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Develop security assessment plan | 1.1.0 |
| Security Assessment | 3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Produce Security Assessment report | 1.1.0 |
| Security Assessment | 3.12.2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | Develop POA&M | 1.1.0 |
| Security Assessment | 3.12.2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | Establish a risk management strategy | 1.1.0 |
| Security Assessment | 3.12.2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | Implement plans of action and milestones for security program process | 1.1.0 |
| Security Assessment | 3.12.2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | Update POA&M items | 1.1.0 |
| Security Assessment | 3.12.3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Configure detection whitelist | 1.1.0 |
| Security Assessment | 3.12.3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Turn on sensors for endpoint security solution | 1.1.0 |
| Security Assessment | 3.12.3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Undergo independent security review | 1.1.0 |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Develop and establish a system security plan | 1.1.0 |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Develop information security policies and procedures | 1.1.0 |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Develop SSP that meets criteria | 1.1.0 |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Establish a privacy program | 1.1.0 |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Establish an information security program | 1.1.0 |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Implement security engineering principles of information systems | 1.1.0 |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Update information security policies | 1.1.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Define a physical key management process | 1.1.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Define cryptographic use | 1.1.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Define organizational requirements for cryptographic key management | 1.1.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Determine assertion requirements | 1.1.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Issue public key certificates | 1.1.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Manage symmetric cryptographic keys | 1.1.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Restrict access to private keys | 1.1.0 |
| System and Communications Protection | 3.13.11 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | Define cryptographic use | 1.1.0 |
| System and Communications Protection | 3.13.12 | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device | Explicitly notify use of collaborative computing devices | 1.1.1 |
| System and Communications Protection | 3.13.12 | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device | Prohibit remote activation of collaborative computing devices | 1.1.0 |
| System and Communications Protection | 3.13.13 | Control and monitor the use of mobile code. | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| System and Communications Protection | 3.13.13 | Control and monitor the use of mobile code. | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| System and Communications Protection | 3.13.13 | Control and monitor the use of mobile code. | Establish usage restrictions for mobile code technologies | 1.1.0 |
| System and Communications Protection | 3.13.14 | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. | Authorize, monitor, and control voip | 1.1.0 |
| System and Communications Protection | 3.13.14 | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. | Establish voip usage restrictions | 1.1.0 |
| System and Communications Protection | 3.13.15 | Protect the authenticity of communications sessions. | Configure workstations to check for digital certificates | 1.1.0 |
| System and Communications Protection | 3.13.15 | Protect the authenticity of communications sessions. | Enforce random unique session identifiers | 1.1.0 |
| System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | Establish a data leakage management procedure | 1.1.0 |
| System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | Implement controls to secure all media | 1.1.0 |
| System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | Protect data in transit using encryption | 1.1.0 |
| System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | Protect special information | 1.1.0 |
| System and Communications Protection | 3.13.3 | Separate user functionality from system management functionality. | Authorize remote access | 1.1.0 |
| System and Communications Protection | 3.13.3 | Separate user functionality from system management functionality. | Separate user and information system management functionality | 1.1.0 |
| System and Communications Protection | 3.13.3 | Separate user functionality from system management functionality. | Use dedicated machines for administrative tasks | 1.1.0 |
| System and Communications Protection | 3.13.7 | Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). | Prevent split tunneling for remote devices | 1.1.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Configure workstations to check for digital certificates | 1.1.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Protect data in transit using encryption | 1.1.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Protect passwords with encryption | 1.1.0 |
| System and Communications Protection | 3.13.9 | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. | Reauthenticate or terminate a user session | 1.1.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Incorporate flaw remediation into configuration management | 1.1.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Perform vulnerability scans | 1.1.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Remediate information system flaws | 1.1.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Manage gateways | 1.1.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Perform a trend analysis on threats | 1.1.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Perform vulnerability scans | 1.1.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Review malware detections report weekly | 1.1.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Review threat protection status weekly | 1.1.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Update antivirus definitions | 1.1.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Disseminate security alerts to personnel | 1.1.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Email notification for high severity alerts should be enabled | 1.1.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Establish a threat intelligence program | 1.1.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Implement security directives | 1.1.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Subscriptions should have a contact email address for security issues | 1.0.1 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Manage gateways | 1.1.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Perform a trend analysis on threats | 1.1.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Perform vulnerability scans | 1.1.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Review malware detections report weekly | 1.1.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Update antivirus definitions | 1.1.0 |
| System and Information Integrity | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Detect network services that have not been authorized or approved | 1.1.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Discover any indicators of compromise | 1.1.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Document security operations | 1.1.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Email notification for high severity alerts should be enabled | 1.1.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Perform a trend analysis on threats | 1.1.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Subscriptions should have a contact email address for security issues | 1.0.1 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Turn on sensors for endpoint security solution | 1.1.0 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Perform a trend analysis on threats | 1.1.0 |
| Awareness and Training | 3.2.1 | Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards,& procedures related to the security of those systems. | Provide periodic security awareness training | 1.1.0 |
| Awareness and Training | 3.2.1 | Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards,& procedures related to the security of those systems. | Provide security training for new users | 1.1.0 |
| Awareness and Training | 3.2.2 | Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. | Provide periodic role-based security training | 1.1.0 |
| Awareness and Training | 3.2.2 | Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. | Provide security training before providing access | 1.1.0 |
| Awareness and Training | 3.2.3 | Provide security awareness training on recognizing and reporting potential indicators of insider threat. | Implement an insider threat program | 1.1.0 |
| Awareness and Training | 3.2.3 | Provide security awareness training on recognizing and reporting potential indicators of insider threat. | Provide security awareness training for insider threats | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Adhere to retention periods defined | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Configure Azure Audit capabilities | 1.1.1 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Correlate audit records | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Determine auditable events | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Establish requirements for audit review and reporting | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Integrate cloud app security with a siem | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Retain security policies and procedures | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Retain terminated user data | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Review account provisioning logs | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Review administrator assignments weekly | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Review audit data | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Review cloud identity report overview | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Review controlled folder access events | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Review file and folder activity | 1.1.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Review role group changes weekly | 1.1.0 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Determine auditable events | 1.1.0 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Establish electronic signature and certificate requirements | 1.1.0 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.3 | Review and update logged events. | Review and update the events defined in AU-02 | 1.1.0 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Govern and monitor audit processing activities | 1.1.0 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Provide real-time alerts for audit event failures | 1.1.0 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Correlate audit records | 1.1.0 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Integrate Audit record analysis | 1.1.0 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Integrate cloud app security with a siem | 1.1.0 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Audit privileged functions | 1.1.0 |
| Audit and Accountability | 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Audit user account status | 1.1.0 |
| Audit and Accountability | 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Compile Audit records into system wide audit | 1.1.0 |
| Audit and Accountability | 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Determine auditable events | 1.1.0 |
| Audit and Accountability | 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Provide audit review, analysis, and reporting capability | 1.1.0 |
| Audit and Accountability | 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Provide capability to process customer-controlled audit records | 1.1.0 |
| Audit and Accountability | 3.3.6 | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Review audit data | 1.1.0 |
| Audit and Accountability | 3.3.7 | Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records | Use system clocks for audit records | 1.1.0 |
| Audit and Accountability | 3.3.8 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | Enable dual or joint authorization | 1.1.0 |
| Audit and Accountability | 3.3.8 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | Establish backup policies and procedures | 1.1.0 |
| Audit and Accountability | 3.3.8 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | Maintain integrity of audit system | 1.1.0 |
| Audit and Accountability | 3.3.8 | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | Protect audit information | 1.1.0 |
| Audit and Accountability | 3.3.9 | Limit management of audit logging functionality to a subset of privileged users. | Protect audit information | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Create a data inventory | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Enforce security configuration settings | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Establish a configuration control board | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Establish and maintain an asset inventory | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Retain previous versions of baseline configs | 1.1.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Enforce security configuration settings | 1.1.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Govern compliance of cloud service providers | 1.1.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Remediate information system flaws | 1.1.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | View and configure system diagnostic data | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Assign information security representative to change control | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Automate approval request for proposed changes | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Automate implementation of approved change notifications | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Automate process to document implemented changes | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Automate process to highlight unreviewed change proposals | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Automate proposed documented changes | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Establish a risk management strategy | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Establish and document change control processes | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Perform a risk assessment | 1.1.0 |
| Configuration Management | 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Establish a risk management strategy | 1.1.0 |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Establish and document change control processes | 1.1.0 |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Perform a risk assessment | 1.1.0 |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Enforce and audit access restrictions | 1.1.0 |
| Configuration Management | 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Establish and document change control processes | 1.1.0 |
| Configuration Management | 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Limit privileges to make changes in production environment | 1.1.0 |
| Configuration Management | 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Restrict unauthorized software and firmware installation | 1.1.0 |
| Configuration Management | 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Review and reevaluate privileges | 1.1.0 |
| Configuration Management | 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Review changes for any unauthorized changes | 1.1.0 |
| Configuration Management | 3.4.6 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | Azure Defender for servers should be enabled | 1.0.3 |
| Identification and Authentication | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | Assign system identifiers | 1.1.0 |
| Identification and Authentication | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | Enforce user uniqueness | 1.1.0 |
| Identification and Authentication | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | Require use of individual authenticators | 1.1.0 |
| Identification and Authentication | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Ensure authorized users protect provided authenticators | 1.1.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Protect passwords with encryption | 1.1.0 |
| Identification and Authentication | 3.5.11 | Obscure feedback of authentication information | Obscure feedback information during authentication process | 1.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Establish authenticator types and processes | 1.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Manage authenticator lifetime and reuse | 1.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Manage Authenticators | 1.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Refresh authenticators | 1.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Verify identity before distributing authenticators | 1.1.0 |
| Identification and Authentication | 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification and Authentication | 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts | Identify and authenticate network devices | 1.1.0 |
| Identification and Authentication | 3.5.5 | Prevent reuse of identifiers for a defined period. | Prevent identifier reuse for the defined time period | 1.1.0 |
| Identification and Authentication | 3.5.6 | Disable identifiers after a defined period of inactivity. | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Document security strength requirements in acquisition contracts | 1.1.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Establish a password policy | 1.1.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Implement parameters for memorized secret verifiers | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Coordinate contingency plans with related plans | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Coordinate with external organizations to achieve cross org perspective | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Develop an incident response plan | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Develop security safeguards | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Document security operations | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Enable network protection | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Eradicate contaminated information | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Execute actions in response to information spills | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Implement incident handling | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Perform a trend analysis on threats | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Provide information spillage training | 1.1.0 |
| Incident response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | View and investigate restricted users | 1.1.0 |
| Incident response | 3.6.2 | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident response | 3.6.2 | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident response | 3.6.2 | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident response | 3.6.3 | Test the organizational incident response capability. | Conduct incident response testing | 1.1.0 |
| Incident response | 3.6.3 | Test the organizational incident response capability. | Establish an information security program | 1.1.0 |
| Incident response | 3.6.3 | Test the organizational incident response capability. | Run simulation attacks | 1.1.0 |
| Maintenance | 3.7.1 | Perform maintenance on organizational systems.[26]. | Control maintenance and repair activities | 1.1.0 |
| Maintenance | 3.7.2 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. | Control maintenance and repair activities | 1.1.0 |
| Maintenance | 3.7.2 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | 3.7.2 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. | Implement controls to secure all media | 1.1.0 |
| Maintenance | 3.7.2 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | 3.7.3 | Ensure equipment removed for off-site maintenance is sanitized of any CUI. | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | 3.7.3 | Ensure equipment removed for off-site maintenance is sanitized of any CUI. | Implement controls to secure all media | 1.1.0 |
| Maintenance | 3.7.3 | Ensure equipment removed for off-site maintenance is sanitized of any CUI. | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | 3.7.4 | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. | Control maintenance and repair activities | 1.1.0 |
| Maintenance | 3.7.4 | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | 3.7.5 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | 3.7.6 | Supervise the maintenance activities of maintenance personnel without required access authorization. | Designate personnel to supervise unauthorized maintenance activities | 1.1.0 |
| Maintenance | 3.7.6 | Supervise the maintenance activities of maintenance personnel without required access authorization. | Maintain list of authorized remote maintenance personnel | 1.1.0 |
| Maintenance | 3.7.6 | Supervise the maintenance activities of maintenance personnel without required access authorization. | Manage maintenance personnel | 1.1.0 |
| Media Protection | 3.8.1 | Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | 3.8.1 | Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. | Implement controls to secure all media | 1.1.0 |
| Media Protection | 3.8.2 | Limit access to CUI on system media to authorized users | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | 3.8.2 | Limit access to CUI on system media to authorized users | Implement controls to secure all media | 1.1.0 |
| Media Protection | 3.8.3 | Sanitize or destroy system media containing CUI before disposal or release for reuse. | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | 3.8.3 | Sanitize or destroy system media containing CUI before disposal or release for reuse. | Implement controls to secure all media | 1.1.0 |
| Media Protection | 3.8.4 | Mark media with necessary CUI markings and distribution limitations.[27] | Implement controls to secure all media | 1.1.0 |
| Media Protection | 3.8.5 | Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. | Implement controls to secure all media | 1.1.0 |
| Media Protection | 3.8.5 | Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. | Manage the transportation of assets | 1.1.0 |
| Media Protection | 3.8.6 | Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. | Implement controls to secure all media | 1.1.0 |
| Media Protection | 3.8.6 | Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. | Manage the transportation of assets | 1.1.0 |
| Media Protection | 3.8.7 | Control the use of removable media on system components. | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | 3.8.7 | Control the use of removable media on system components. | Control use of portable storage devices | 1.1.0 |
| Media Protection | 3.8.7 | Control the use of removable media on system components. | Implement controls to secure all media | 1.1.0 |
| Media Protection | 3.8.7 | Control the use of removable media on system components. | Restrict media use | 1.1.0 |
| Media Protection | 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner. | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner. | Control use of portable storage devices | 1.1.0 |
| Media Protection | 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner. | Implement controls to secure all media | 1.1.0 |
| Media Protection | 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner. | Restrict media use | 1.1.0 |
| Media Protection | 3.8.9 | Protect the confidentiality of backup CUI at storage locations. | Establish backup policies and procedures | 1.1.0 |
| Media Protection | 3.8.9 | Protect the confidentiality of backup CUI at storage locations. | Implement controls to secure all media | 1.1.0 |
| Personnel Security | 3.9.1 | Screen individuals prior to authorizing access to organizational systems containing CUI. | Clear personnel with access to classified information | 1.1.0 |
| Personnel Security | 3.9.1 | Screen individuals prior to authorizing access to organizational systems containing CUI. | Implement personnel screening | 1.1.0 |
| Personnel Security | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | Conduct exit interview upon termination | 1.1.0 |
| Personnel Security | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | Disable authenticators upon termination | 1.1.0 |
| Personnel Security | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | Initiate transfer or reassignment actions | 1.1.0 |
| Personnel Security | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | Modify access authorizations upon personnel transfer | 1.1.0 |
| Personnel Security | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | Protect against and prevent data theft from departing employees | 1.1.0 |
| Personnel Security | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers | Reevaluate access upon personnel transfer | 1.1.0 |
NIST SP 800-53 Rev. 4
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-1 | Access Control Policy And Procedures | Develop access control policies and procedures | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Govern policies and procedures | 1.1.0 |
| Access Control | AC-1 | Access Control Policy And Procedures | Review access control policies and procedures | 1.1.0 |
| Access Control | AC-2 | Account Management | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-2 | Account Management | Assign account managers | 1.1.0 |
| Access Control | AC-2 | Account Management | Audit user account status | 1.1.0 |
| Access Control | AC-2 | Account Management | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Define information system account types | 1.1.0 |
| Access Control | AC-2 | Account Management | Document access privileges | 1.1.0 |
| Access Control | AC-2 | Account Management | Establish conditions for role membership | 1.1.0 |
| Access Control | AC-2 | Account Management | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Monitor account activity | 1.1.0 |
| Access Control | AC-2 | Account Management | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Require approval for account creation | 1.1.0 |
| Access Control | AC-2 | Account Management | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Review account provisioning logs | 1.1.0 |
| Access Control | AC-2 | Account Management | Review user accounts | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Automate account management | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Manage system and admin accounts | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Monitor access across the organization | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Notify when account is not needed | 1.1.0 |
| Access Control | AC-2 (3) | Disable Inactive Accounts | Disable authenticators upon termination | 1.1.0 |
| Access Control | AC-2 (3) | Disable Inactive Accounts | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Audit user account status | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Automate account management | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Manage system and admin accounts | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Monitor access across the organization | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Notify when account is not needed | 1.1.0 |
| Access Control | AC-2 (5) | Inactivity Logout | Define and enforce inactivity log policy | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Audit privileged functions | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Monitor account activity | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Monitor privileged role assignment | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-2 (7) | Role-Based Schemes | Use privileged identity management | 1.1.0 |
| Access Control | AC-2 (9) | Restrictions On Use Of Shared Groups / Accounts | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Access Control | AC-2 (10) | Shared / Group Account Credential Termination | Terminate customer controlled account credentials | 1.1.0 |
| Access Control | AC-2 (11) | Usage Conditions | Enforce appropriate usage of all accounts | 1.1.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for App Service should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for servers should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Monitor account activity | 1.1.0 |
| Access Control | AC-2 (12) | Account Monitoring / Atypical Usage | Report atypical behavior of user accounts | 1.1.0 |
| Access Control | AC-2 (13) | Disable Accounts For High-Risk Individuals | Disable user accounts posing a significant risk | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Authorize access to security functions and information | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Authorize and manage access | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Enforce logical access | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Require approval for account creation | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Review user groups and applications with access to sensitive data | 1.1.0 |
| Access Control | AC-4 | Information Flow Enforcement | Control information flow | 1.1.0 |
| Access Control | AC-4 | Information Flow Enforcement | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Access Control | AC-4 (8) | Security Policy Filters | Information flow control using security policy filters | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Control information flow | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Establish firewall and router configuration standards | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Establish network segmentation for card holder data environment | 1.1.0 |
| Access Control | AC-4 (21) | Physical / Logical Separation Of Information Flows | Identify and manage downstream information exchanges | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Define access authorizations to support separation of duties | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Document separation of duties | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | Separate duties of individuals | 1.1.0 |
| Access Control | AC-5 | Separation Of Duties | There should be more than one owner assigned to your subscription | 3.0.0 |
| Access Control | AC-6 | Least Privilege | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-6 | Least Privilege | Design an access control model | 1.1.0 |
| Access Control | AC-6 | Least Privilege | Employ least privilege access | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Authorize access to security functions and information | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Authorize and manage access | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access To Security Functions | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-6 (5) | Privileged Accounts | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-6 (7) | Review Of User Privileges | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-6 (7) | Review Of User Privileges | Reassign or remove user privileges as needed | 1.1.0 |
| Access Control | AC-6 (7) | Review Of User Privileges | Review user privileges | 1.1.0 |
| Access Control | AC-6 (8) | Privilege Levels For Code Execution | Enforce software execution privileges | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Audit privileged functions | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Monitor privileged role assignment | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-6 (9) | Auditing Use Of Privileged Functions | Use privileged identity management | 1.1.0 |
| Access Control | AC-7 | Unsuccessful Logon Attempts | Enforce a limit of consecutive failed login attempts | 1.1.0 |
| Access Control | AC-10 | Concurrent Session Control | Define and enforce the limit of concurrent sessions | 1.1.0 |
| Access Control | AC-12 | Session Termination | Terminate user session automatically | 1.1.0 |
| Access Control | AC-12 (1) | User-Initiated Logouts / Message Displays | Display an explicit logout message | 1.1.0 |
| Access Control | AC-12 (1) | User-Initiated Logouts / Message Displays | Provide the logout capability | 1.1.0 |
| Access Control | AC-14 | Permitted Actions Without Identification Or Authentication | Identify actions allowed without authentication | 1.1.0 |
| Access Control | AC-17 | Remote Access | Authorize remote access | 1.1.0 |
| Access Control | AC-17 | Remote Access | Document mobility training | 1.1.0 |
| Access Control | AC-17 | Remote Access | Document remote access guidelines | 1.1.0 |
| Access Control | AC-17 | Remote Access | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | AC-17 | Remote Access | Provide privacy training | 1.1.0 |
| Access Control | AC-17 (1) | Automated Monitoring / Control | Monitor access across the organization | 1.1.0 |
| Access Control | AC-17 (2) | Protection Of Confidentiality / Integrity Using Encryption | Notify users of system logon or access | 1.1.0 |
| Access Control | AC-17 (2) | Protection Of Confidentiality / Integrity Using Encryption | Protect data in transit using encryption | 1.1.0 |
| Access Control | AC-17 (3) | Managed Access Control Points | Route traffic through managed network access points | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Authorize remote access | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Authorize remote access to privileged commands | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Document remote access guidelines | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands / Access | Provide privacy training | 1.1.0 |
| Access Control | AC-17 (9) | Disconnect / Disable Access | Provide capability to disconnect or disable remote access | 1.1.0 |
| Access Control | AC-18 | Wireless Access | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | AC-18 | Wireless Access | Protect wireless access | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Identify and authenticate network devices | 1.1.0 |
| Access Control | AC-18 (1) | Authentication And Encryption | Protect wireless access | 1.1.0 |
| Access Control | AC-19 | Access Control For Mobile Devices | Define mobile device requirements | 1.1.0 |
| Access Control | AC-19 (5) | Full Device / Container-Based Encryption | Define mobile device requirements | 1.1.0 |
| Access Control | AC-19 (5) | Full Device / Container-Based Encryption | Protect data in transit using encryption | 1.1.0 |
| Access Control | AC-20 | Use Of External Information Systems | Establish terms and conditions for accessing resources | 1.1.0 |
| Access Control | AC-20 | Use Of External Information Systems | Establish terms and conditions for processing resources | 1.1.0 |
| Access Control | AC-20 (1) | Limits On Authorized Use | Verify security controls for external information systems | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Control use of portable storage devices | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices | Implement controls to secure all media | 1.1.0 |
| Access Control | AC-21 | Information Sharing | Automate information sharing decisions | 1.1.0 |
| Access Control | AC-21 | Information Sharing | Facilitate information sharing | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Review content prior to posting publicly accessible information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Review publicly accessible content for nonpublic information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Train personnel on disclosure of nonpublic information | 1.1.0 |
| Awareness And Training | AT-1 | Security Awareness And Training Policy Andprocedures | Document security and privacy training activities | 1.1.0 |
| Awareness And Training | AT-1 | Security Awareness And Training Policy Andprocedures | Update information security policies | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide periodic security awareness training | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide security training for new users | 1.1.0 |
| Awareness And Training | AT-2 | Security Awareness Training | Provide updated security awareness training | 1.1.0 |
| Awareness And Training | AT-2 (2) | Insider Threat | Provide security awareness training for insider threats | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide periodic role-based security training | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide role-based security training | 1.1.0 |
| Awareness And Training | AT-3 | Role-Based Security Training | Provide security training before providing access | 1.1.0 |
| Awareness And Training | AT-3 (3) | Practical Exercises | Provide role-based practical exercises | 1.1.0 |
| Awareness And Training | AT-3 (4) | Suspicious Communications And Anomalous System Behavior | Provide role-based training on suspicious activities | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Document security and privacy training activities | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Monitor security and privacy training completion | 1.1.0 |
| Awareness And Training | AT-4 | Security Training Records | Retain training records | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Develop audit and accountability policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Develop information security policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Govern policies and procedures | 1.1.0 |
| Audit And Accountability | AU-1 | Audit And Accountability Policy And Procedures | Update information security policies | 1.1.0 |
| Audit And Accountability | AU-2 | Audit Events | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-2 (3) | Reviews And Updates | Review and update the events defined in AU-02 | 1.1.0 |
| Audit And Accountability | AU-3 | Content Of Audit Records | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-3 (1) | Additional Audit Information | Configure Azure Audit capabilities | 1.1.1 |
| Audit And Accountability | AU-4 | Audit Storage Capacity | Govern and monitor audit processing activities | 1.1.0 |
| Audit And Accountability | AU-5 | Response To Audit Processing Failures | Govern and monitor audit processing activities | 1.1.0 |
| Audit And Accountability | AU-5 (2) | Real-Time Alerts | Provide real-time alerts for audit event failures | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Establish requirements for audit review and reporting | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review account provisioning logs | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review administrator assignments weekly | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review audit data | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review cloud identity report overview | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review controlled folder access events | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review file and folder activity | 1.1.0 |
| Audit And Accountability | AU-6 | Audit Review, Analysis, And Reporting | Review role group changes weekly | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Establish requirements for audit review and reporting | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review account provisioning logs | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review administrator assignments weekly | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review audit data | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review cloud identity report overview | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review controlled folder access events | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review file and folder activity | 1.1.0 |
| Audit And Accountability | AU-6 (1) | Process Integration | Review role group changes weekly | 1.1.0 |
| Audit And Accountability | AU-6 (3) | Correlate Audit Repositories | Correlate audit records | 1.1.0 |
| Audit And Accountability | AU-6 (3) | Correlate Audit Repositories | Integrate cloud app security with a siem | 1.1.0 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (4) | Central Review And Analysis | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Integrate Audit record analysis | 1.1.0 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (5) | Integration / Scanning And Monitoring Capabilities | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-6 (7) | Permitted Actions | Specify permitted actions associated with customer audit information | 1.1.0 |
| Audit And Accountability | AU-6 (10) | Audit Level Adjustment | Adjust level of audit review, analysis, and reporting | 1.1.0 |
| Audit And Accountability | AU-7 | Audit Reduction And Report Generation | Ensure audit records are not altered | 1.1.0 |
| Audit And Accountability | AU-7 | Audit Reduction And Report Generation | Provide audit review, analysis, and reporting capability | 1.1.0 |
| Audit And Accountability | AU-7 (1) | Automatic Processing | Provide capability to process customer-controlled audit records | 1.1.0 |
| Audit And Accountability | AU-8 | Time Stamps | Use system clocks for audit records | 1.1.0 |
| Audit And Accountability | AU-8 (1) | Synchronization With Authoritative Time Source | Use system clocks for audit records | 1.1.0 |
| Audit And Accountability | AU-9 | Protection Of Audit Information | Enable dual or joint authorization | 1.1.0 |
| Audit And Accountability | AU-9 | Protection Of Audit Information | Protect audit information | 1.1.0 |
| Audit And Accountability | AU-9 (2) | Audit Backup On Separate Physical Systems / Components | Establish backup policies and procedures | 1.1.0 |
| Audit And Accountability | AU-9 (3) | Cryptographic Protection | Maintain integrity of audit system | 1.1.0 |
| Audit And Accountability | AU-9 (4) | Access By Subset Of Privileged Users | Protect audit information | 1.1.0 |
| Audit And Accountability | AU-10 | Non-Repudiation | Establish electronic signature and certificate requirements | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Adhere to retention periods defined | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Retain security policies and procedures | 1.1.0 |
| Audit And Accountability | AU-11 | Audit Record Retention | Retain terminated user data | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Audit privileged functions | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Audit user account status | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 | Audit Generation | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 | Audit Generation | Determine auditable events | 1.1.0 |
| Audit And Accountability | AU-12 | Audit Generation | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 | Audit Generation | Review audit data | 1.1.0 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for servers should be enabled | 1.0.3 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Compile Audit records into system wide audit | 1.1.0 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 (1) | System-Wide / Time-Correlated Audit Trail | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit And Accountability | AU-12 (3) | Changes By Authorized Individuals | Provide the capability to extend or limit auditing on customer-deployed resources | 1.1.0 |
| Security Assessment And Authorization | CA-1 | Security Assessment And Authorization Policy And Procedures | Review security assessment and authorization policies and procedures | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Assess Security Controls | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Deliver security assessment results | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Develop security assessment plan | 1.1.0 |
| Security Assessment And Authorization | CA-2 | Security Assessments | Produce Security Assessment report | 1.1.0 |
| Security Assessment And Authorization | CA-2 (1) | Independent Assessors | Employ independent assessors to conduct security control assessments | 1.1.0 |
| Security Assessment And Authorization | CA-2 (2) | Specialized Assessments | Select additional testing for security control assessments | 1.1.0 |
| Security Assessment And Authorization | CA-2 (3) | External Organizations | Accept assessment results | 1.1.0 |
| Security Assessment And Authorization | CA-3 | System Interconnections | Require interconnection security agreements | 1.1.0 |
| Security Assessment And Authorization | CA-3 | System Interconnections | Update interconnection security agreements | 1.1.0 |
| Security Assessment And Authorization | CA-3 (3) | Unclassified Non-National Security System Connections | Implement system boundary protection | 1.1.0 |
| Security Assessment And Authorization | CA-3 (5) | Restrictions On External System Connections | Employ restrictions on external system interconnections | 1.1.0 |
| Security Assessment And Authorization | CA-5 | Plan Of Action And Milestones | Develop POA&M | 1.1.0 |
| Security Assessment And Authorization | CA-5 | Plan Of Action And Milestones | Update POA&M items | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Assign an authorizing official (AO) | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Ensure resources are authorized | 1.1.0 |
| Security Assessment And Authorization | CA-6 | Security Authorization | Update the security authorization | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Configure detection whitelist | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Turn on sensors for endpoint security solution | 1.1.0 |
| Security Assessment And Authorization | CA-7 | Continuous Monitoring | Undergo independent security review | 1.1.0 |
| Security Assessment And Authorization | CA-7 (1) | Independent Assessment | Employ independent assessors for continuous monitoring | 1.1.0 |
| Security Assessment And Authorization | CA-7 (3) | Trend Analyses | Analyse data obtained from continuous monitoring | 1.1.0 |
| Security Assessment And Authorization | CA-8 (1) | Independent Penetration Agent Or Team | Employ independent team for penetration testing | 1.1.0 |
| Security Assessment And Authorization | CA-9 | Internal System Connections | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Configuration Management | CM-1 | Configuration Management Policy And Procedures | Review and update configuration management policies and procedures | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Establish a configuration control board | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Establish a configuration control board | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support For Accuracy / Currency | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-2 (3) | Retention Of Previous Configurations | Retain previous versions of baseline configs | 1.1.0 |
| Configuration Management | CM-2 (7) | Configure Systems, Components, Or Devices For High-Risk Areas | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| Configuration Management | CM-2 (7) | Configure Systems, Components, Or Devices For High-Risk Areas | Not allow for information systems to accompany with individuals | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish a risk management strategy | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform a risk assessment | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate approval request for proposed changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate implementation of approved change notifications | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate process to document implemented changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate process to highlight unreviewed change proposals | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Document / Notification / Prohibition Of Changes | Automate proposed documented changes | 1.1.0 |
| Configuration Management | CM-3 (2) | Test / Validate / Document Changes | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-3 (2) | Test / Validate / Document Changes | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-3 (2) | Test / Validate / Document Changes | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-3 (4) | Security Representative | Assign information security representative to change control | 1.1.0 |
| Configuration Management | CM-3 (6) | Cryptography Management | Ensure cryptographic mechanisms are under configuration management | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish a risk management strategy | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform a risk assessment | 1.1.0 |
| Configuration Management | CM-4 | Security Impact Analysis | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-5 | Access Restrictions For Change | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-5 (1) | Automated Access Enforcement / Auditing | Enforce and audit access restrictions | 1.1.0 |
| Configuration Management | CM-5 (2) | Review System Changes | Review changes for any unauthorized changes | 1.1.0 |
| Configuration Management | CM-5 (3) | Signed Components | Restrict unauthorized software and firmware installation | 1.1.0 |
| Configuration Management | CM-5 (5) | Limit Production / Operational Privileges | Limit privileges to make changes in production environment | 1.1.0 |
| Configuration Management | CM-5 (5) | Limit Production / Operational Privileges | Review and reevaluate privileges | 1.1.0 |
| Configuration Management | CM-6 | Configuration Settings | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-6 | Configuration Settings | Remediate information system flaws | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | Govern compliance of cloud service providers | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Central Management / Application / Verification | View and configure system diagnostic data | 1.1.0 |
| Configuration Management | CM-7 | Least Functionality | Azure Defender for servers should be enabled | 1.0.3 |
| Configuration Management | CM-8 | Information System Component Inventory | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 | Information System Component Inventory | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | CM-8 (1) | Updates During Installations / Removals | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 (1) | Updates During Installations / Removals | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | CM-8 (3) | Automated Unauthorized Component Detection | Enable detection of network devices | 1.1.0 |
| Configuration Management | CM-8 (3) | Automated Unauthorized Component Detection | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Configuration Management | CM-8 (4) | Accountability Information | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 (4) | Accountability Information | Establish and maintain an asset inventory | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Create configuration plan protection | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop configuration item identification plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop configuration management plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-10 | Software Usage Restrictions | Require compliance with intellectual property rights | 1.1.0 |
| Configuration Management | CM-10 | Software Usage Restrictions | Track software license usage | 1.1.0 |
| Configuration Management | CM-10 (1) | Open Source Software | Restrict use of open source software | 1.1.0 |
| Contingency Planning | CP-1 | Contingency Planning Policy And Procedures | Review and update contingency planning policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Communicate contingency plan changes | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop contingency plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop contingency planning policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Distribute policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Review contingency plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Update contingency plan | 1.1.0 |
| Contingency Planning | CP-2 (1) | Coordinate With Related Plans | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-2 (2) | Capacity Planning | Conduct capacity planning | 1.1.0 |
| Contingency Planning | CP-2 (3) | Resume Essential Missions / Business Functions | Plan for resumption of essential business functions | 1.1.0 |
| Contingency Planning | CP-2 (4) | Resume All Missions / Business Functions | Resume all mission and business functions | 1.1.0 |
| Contingency Planning | CP-2 (5) | Continue Essential Missions / Business Functions | Plan for continuance of essential business functions | 1.1.0 |
| Contingency Planning | CP-2 (8) | Identify Critical Assets | Perform a business impact assessment and application criticality assessment | 1.1.0 |
| Contingency Planning | CP-3 | Contingency Training | Provide contingency training | 1.1.0 |
| Contingency Planning | CP-3 (1) | Simulated Events | Incorporate simulated contingency training | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Initiate contingency plan testing corrective actions | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Review the results of contingency plan testing | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Test the business continuity and disaster recovery plan | 1.1.0 |
| Contingency Planning | CP-4 (1) | Coordinate With Related Plans | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-4 (2) | Alternate Processing Site | Evaluate alternate processing site capabilities | 1.1.0 |
| Contingency Planning | CP-4 (2) | Alternate Processing Site | Test contingency plan at an alternate processing location | 1.1.0 |
| Contingency Planning | CP-6 | Alternate Storage Site | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| Contingency Planning | CP-6 | Alternate Storage Site | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| Contingency Planning | CP-6 (1) | Separation From Primary Site | Create separate alternate and primary storage sites | 1.1.0 |
| Contingency Planning | CP-6 (2) | Recovery Time / Point Objectives | Establish alternate storage site that facilitates recovery operations | 1.1.0 |
| Contingency Planning | CP-6 (3) | Accessibility | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| Contingency Planning | CP-7 | Alternate Processing Site | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Contingency Planning | CP-7 | Alternate Processing Site | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (1) | Separation From Primary Site | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (2) | Accessibility | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (3) | Priority Of Service | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (3) | Priority Of Service | Establish requirements for internet service providers | 1.1.0 |
| Contingency Planning | CP-7 (4) | Preparation For Use | Prepare alternate processing site for use as operational site | 1.1.0 |
| Contingency Planning | CP-8 (1) | Priority Of Service Provisions | Establish requirements for internet service providers | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Conduct backup of information system documentation | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Establish backup policies and procedures | 1.1.0 |
| Contingency Planning | CP-9 | Information System Backup | Implement controls to secure all media | 1.1.0 |
| Contingency Planning | CP-9 (3) | Separate Storage For Critical Information | Separately store backup information | 1.1.0 |
| Contingency Planning | CP-9 (5) | Transfer To Alternate Storage Site | Transfer backup information to an alternate storage site | 1.1.0 |
| Contingency Planning | CP-10 | Information System Recovery And Reconstitution | Recover and reconstitute resources after any disruption | 1.1.1 |
| Contingency Planning | CP-10 (2) | Transaction Recovery | Implement transaction based recovery | 1.1.0 |
| Contingency Planning | CP-10 (4) | Restore Within Time Period | Restore resources to operational state | 1.1.1 |
| Identification And Authentication | IA-1 | Identification And Authentication Policy And Procedures | Review and update identification and authentication policies and procedures | 1.1.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Enforce user uniqueness | 1.1.0 |
| Identification And Authentication | IA-2 | Identification And Authentication (Organizational Users) | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (1) | Network Access To Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (2) | Network Access To Non-Privileged Accounts | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification And Authentication | IA-2 (2) | Network Access To Non-Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (3) | Local Access To Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (5) | Group Authentication | Require use of individual authenticators | 1.1.0 |
| Identification And Authentication | IA-2 (11) | Remote Access - Separate Device | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification And Authentication | IA-2 (11) | Remote Access - Separate Device | Identify and authenticate network devices | 1.1.0 |
| Identification And Authentication | IA-2 (12) | Acceptance Of Piv Credentials | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification And Authentication | IA-4 | Identifier Management | Assign system identifiers | 1.1.0 |
| Identification And Authentication | IA-4 | Identifier Management | Prevent identifier reuse for the defined time period | 1.1.0 |
| Identification And Authentication | IA-4 (4) | Identify User Status | Identify status of individual users | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Establish authenticator types and processes | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Implement training for protecting authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Manage authenticator lifetime and reuse | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Manage Authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Refresh authenticators | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Identification And Authentication | IA-5 | Authenticator Management | Verify identity before distributing authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Document security strength requirements in acquisition contracts | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Establish a password policy | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Implement parameters for memorized secret verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (1) | Password-Based Authentication | Protect passwords with encryption | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Bind authenticators and identities dynamically | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish authenticator types and processes | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish parameters for searching secret authenticators and verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Map authenticated identities to individuals | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Restrict access to private keys | 1.1.0 |
| Identification And Authentication | IA-5 (2) | Pki-Based Authentication | Verify identity before distributing authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (3) | In-Person Or Trusted Third-Party Registration | Distribute authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Document security strength requirements in acquisition contracts | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Establish a password policy | 1.1.0 |
| Identification And Authentication | IA-5 (4) | Automated Support For Password Strength Determination | Implement parameters for memorized secret verifiers | 1.1.0 |
| Identification And Authentication | IA-5 (6) | Protection Of Authenticators | Ensure authorized users protect provided authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (7) | No Embedded Unencrypted Static Authenticators | Ensure there are no unencrypted static authenticators | 1.1.0 |
| Identification And Authentication | IA-5 (11) | Hardware Token-Based Authentication | Satisfy token quality requirements | 1.1.0 |
| Identification And Authentication | IA-5 (13) | Expiration Of Cached Authenticators | Enforce expiration of cached authenticators | 1.1.0 |
| Identification And Authentication | IA-6 | Authenticator Feedback | Obscure feedback information during authentication process | 1.1.0 |
| Identification And Authentication | IA-7 | Cryptographic Module Authentication | Authenticate to cryptographic module | 1.1.0 |
| Identification And Authentication | IA-8 | Identification And Authentication (Non- Organizational Users) | Identify and authenticate non-organizational users | 1.1.0 |
| Identification And Authentication | IA-8 (1) | Acceptance Of Piv Credentials From Other Agencies | Accept PIV credentials | 1.1.0 |
| Identification And Authentication | IA-8 (2) | Acceptance Of Third-Party Credentials | Accept only FICAM-approved third-party credentials | 1.1.0 |
| Identification And Authentication | IA-8 (3) | Use Of Ficam-Approved Products | Employ FICAM-approved resources to accept third-party credentials | 1.1.0 |
| Identification And Authentication | IA-8 (4) | Use Of Ficam-Issued Profiles | Conform to FICAM-issued profiles | 1.1.0 |
| Incident Response | IR-1 | Incident Response Policy And Procedures | Review and update incident response policies and procedures | 1.1.0 |
| Incident Response | IR-2 | Incident Response Training | Provide information spillage training | 1.1.0 |
| Incident Response | IR-2 (1) | Simulated Events | Incorporate simulated events into incident response training | 1.1.0 |
| Incident Response | IR-2 (2) | Automated Training Environments | Employ automated training environment | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Conduct incident response testing | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Establish an information security program | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Run simulation attacks | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Conduct incident response testing | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Establish an information security program | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination With Related Plans | Run simulation attacks | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Assess information security events | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-4 | Incident Handling | Coordinate contingency plans with related plans | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Develop security safeguards | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-4 | Incident Handling | Enable network protection | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Maintain incident response plan | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Perform a trend analysis on threats | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-4 | Incident Handling | View and investigate restricted users | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Enable network protection | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 (2) | Dynamic Reconfiguration | Include dynamic reconfig of customer deployed resources | 1.1.0 |
| Incident Response | IR-4 (3) | Continuity Of Operations | Identify classes of Incidents and Actions taken | 1.1.0 |
| Incident Response | IR-4 (4) | Information Correlation | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 (6) | Insider Threats - Specific Capabilities | Implement Incident handling capability | 1.1.0 |
| Incident Response | IR-4 (8) | Correlation With External Organizations | Coordinate with external organizations to achieve cross org perspective | 1.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-5 | Incident Monitoring | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-6 (1) | Automated Reporting | Document security operations | 1.1.0 |
| Incident Response | IR-6 (2) | Vulnerabilities Related to Incidents | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-6 (2) | Vulnerabilities Related to Incidents | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-6 (2) | Vulnerabilities Related to Incidents | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-7 | Incident Response Assistance | Document security operations | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Enable network protection | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Implement incident handling | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | Perform a trend analysis on threats | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support For Availability Of Information / Support | View and investigate restricted users | 1.1.0 |
| Incident Response | IR-7 (2) | Coordination With External Providers | Establish relationship between incident response capability and external providers | 1.1.0 |
| Incident Response | IR-7 (2) | Coordination With External Providers | Identify incident response personnel | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Assess information security events | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Implement incident handling | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Maintain data breach records | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Maintain incident response plan | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Protect incident response plan | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Alert personnel of information spillage | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Identify contaminated systems and components | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Identify spilled information | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Isolate information spills | 1.1.0 |
| Incident Response | IR-9 (1) | Responsible Personnel | Identify incident response personnel | 1.1.0 |
| Incident Response | IR-9 (2) | Training | Provide information spillage training | 1.1.0 |
| Incident Response | IR-9 (3) | Post-Spill Operations | Develop spillage response procedures | 1.1.0 |
| Incident Response | IR-9 (4) | Exposure To Unauthorized Personnel | Develop security safeguards | 1.1.0 |
| Maintenance | MA-1 | System Maintenance Policy And Procedures | Review and update system maintenance policies and procedures | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-2 (2) | Automated Maintenance Activities | Automate remote maintenance activities | 1.1.0 |
| Maintenance | MA-2 (2) | Automated Maintenance Activities | Produce complete records of remote maintenance activities | 1.1.0 |
| Maintenance | MA-3 | Maintenance Tools | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 | Maintenance Tools | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (1) | Inspect Tools | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (1) | Inspect Tools | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (2) | Inspect Media | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (2) | Inspect Media | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 | Nonlocal Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 (2) | Document Nonlocal Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 (3) | Comparable Security / Sanitization | Perform all non-local maintenance | 1.1.0 |
| Maintenance | MA-4 (6) | Cryptographic Protection | Implement cryptographic mechanisms | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Designate personnel to supervise unauthorized maintenance activities | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Maintain list of authorized remote maintenance personnel | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Manage maintenance personnel | 1.1.0 |
| Maintenance | MA-5 (1) | Individuals Without Appropriate Access | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-5 (1) | Individuals Without Appropriate Access | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-6 | Timely Maintenance | Provide timely maintenance support | 1.1.0 |
| Media Protection | MP-1 | Media Protection Policy And Procedures | Review and update media protection policies and procedures | 1.1.0 |
| Media Protection | MP-2 | Media Access | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-3 | Media Marking | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-4 | Media Storage | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-4 | Media Storage | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 | Media Transport | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 | Media Transport | Manage the transportation of assets | 1.1.0 |
| Media Protection | MP-5 (4) | Cryptographic Protection | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 (4) | Cryptographic Protection | Manage the transportation of assets | 1.1.0 |
| Media Protection | MP-6 | Media Sanitization | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 | Media Sanitization | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-6 (1) | Review / Approve / Track / Document / Verify | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 (1) | Review / Approve / Track / Document / Verify | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-6 (2) | Equipment Testing | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 (2) | Equipment Testing | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 | Media Use | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | MP-7 | Media Use | Control use of portable storage devices | 1.1.0 |
| Media Protection | MP-7 | Media Use | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 | Media Use | Restrict media use | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Control use of portable storage devices | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 (1) | Prohibit Use Without Owner | Restrict media use | 1.1.0 |
| Physical And Environmental Protection | PE-1 | Physical And Environmental Protection Policy And Procedures | Review and update physical and environmental policies and procedures | 1.1.0 |
| Physical And Environmental Protection | PE-2 | Physical Access Authorizations | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Define a physical key management process | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Establish and maintain an asset inventory | 1.1.0 |
| Physical And Environmental Protection | PE-3 | Physical Access Control | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-4 | Access Control For Transmission Medium | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-4 | Access Control For Transmission Medium | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-5 | Access Control For Output Devices | Manage the input, output, processing, and storage of data | 1.1.0 |
| Physical And Environmental Protection | PE-6 (1) | Intrusion Alarms / Surveillance Equipment | Install an alarm system | 1.1.0 |
| Physical And Environmental Protection | PE-6 (1) | Intrusion Alarms / Surveillance Equipment | Manage a secure surveillance camera system | 1.1.0 |
| Physical And Environmental Protection | PE-8 | Visitor Access Records | Control physical access | 1.1.0 |
| Physical And Environmental Protection | PE-8 | Visitor Access Records | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-12 | Emergency Lighting | Employ automatic emergency lighting | 1.1.0 |
| Physical And Environmental Protection | PE-13 | Fire Protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-13 (1) | Detection Devices / Systems | Implement a penetration testing methodology | 1.1.0 |
| Physical And Environmental Protection | PE-13 (1) | Detection Devices / Systems | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-13 (1) | Detection Devices / Systems | Run simulation attacks | 1.1.0 |
| Physical And Environmental Protection | PE-13 (2) | Suppression Devices / Systems | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-13 (3) | Automatic Fire Suppression | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 | Temperature And Humidity Controls | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 (2) | Monitoring With Alarms / Notifications | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-14 (2) | Monitoring With Alarms / Notifications | Install an alarm system | 1.1.0 |
| Physical And Environmental Protection | PE-15 | Water Damage Protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical And Environmental Protection | PE-16 | Delivery And Removal | Define requirements for managing assets | 1.1.0 |
| Physical And Environmental Protection | PE-16 | Delivery And Removal | Manage the transportation of assets | 1.1.0 |
| Physical And Environmental Protection | PE-17 | Alternate Work Site | Implement controls to secure alternate work sites | 1.1.0 |
| Physical And Environmental Protection | PE-18 | Location Of Information System Components | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Planning | PL-1 | Security Planning Policy And Procedures | Review and update planning policies and procedures | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop and establish a system security plan | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop information security policies and procedures | 1.1.0 |
| Planning | PL-2 | System Security Plan | Develop SSP that meets criteria | 1.1.0 |
| Planning | PL-2 | System Security Plan | Establish a privacy program | 1.1.0 |
| Planning | PL-2 | System Security Plan | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Planning | PL-2 | System Security Plan | Implement security engineering principles of information systems | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Develop and establish a system security plan | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Planning | PL-2 (3) | Plan / Coordinate With Other Organizational Entities | Implement security engineering principles of information systems | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Develop acceptable use policies and procedures | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Develop organization code of conduct policy | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Document personnel acceptance of privacy requirements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Enforce rules of behavior and access agreements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Prohibit unfair practices | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Review and sign revised rules of behavior | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update information security policies | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update rules of behavior and access agreements | 1.1.0 |
| Planning | PL-4 | Rules Of Behavior | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| Planning | PL-4 (1) | Social Media And Networking Restrictions | Develop acceptable use policies and procedures | 1.1.0 |
| Planning | PL-8 | Information Security Architecture | Develop a concept of operations (CONOPS) | 1.1.0 |
| Planning | PL-8 | Information Security Architecture | Review and update the information security architecture | 1.1.0 |
| Personnel Security | PS-1 | Personnel Security Policy And Procedures | Review and update personnel security policies and procedures | 1.1.0 |
| Personnel Security | PS-2 | Position Risk Designation | Assign risk designations | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Clear personnel with access to classified information | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Implement personnel screening | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Rescreen individuals at a defined frequency | 1.1.0 |
| Personnel Security | PS-3 (3) | Information With Special Protection Measures | Protect special information | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Conduct exit interview upon termination | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Disable authenticators upon termination | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Protect against and prevent data theft from departing employees | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Retain terminated user data | 1.1.0 |
| Personnel Security | PS-4 (2) | Automated Notification | Automate notification of employee termination | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Initiate transfer or reassignment actions | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Modify access authorizations upon personnel transfer | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Reevaluate access upon personnel transfer | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Document organizational access agreements | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Enforce rules of behavior and access agreements | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Ensure access agreements are signed or resigned timely | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Require users to sign access agreement | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Update organizational access agreements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Document third-party personnel security requirements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Establish third-party personnel security requirements | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Monitor third-party provider compliance | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Require notification of third-party personnel transfer or termination | 1.1.0 |
| Personnel Security | PS-7 | Third-Party Personnel Security | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| Personnel Security | PS-8 | Personnel Sanctions | Implement formal sanctions process | 1.1.0 |
| Personnel Security | PS-8 | Personnel Sanctions | Notify personnel upon sanctions | 1.1.0 |
| Risk Assessment | RA-1 | Risk Assessment Policy And Procedures | Review and update risk assessment policies and procedures | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Categorize information | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Develop business classification schemes | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Ensure security categorization is approved | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Review label activity and analytics | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct Risk Assessment | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct risk assessment and distribute its results | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct risk assessment and document its results | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Perform a risk assessment | 1.1.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 | Vulnerability Scanning | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (1) | Update Tool Capability | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (1) | Update Tool Capability | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (2) | Update By Frequency / Prior To New Scan / When Identified | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (2) | Update By Frequency / Prior To New Scan / When Identified | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (3) | Breadth / Depth Of Coverage | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (3) | Breadth / Depth Of Coverage | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (4) | Discoverable Information | Take action in response to customer information | 1.1.0 |
| Risk Assessment | RA-5 (5) | Privileged Access | Implement privileged access for executing vulnerability scanning activities | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Observe and report security weaknesses | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform a trend analysis on threats | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform threat modeling | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Audit privileged functions | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Audit user account status | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Correlate audit records | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Determine auditable events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Establish requirements for audit review and reporting | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Integrate audit review, analysis, and reporting | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Integrate cloud app security with a siem | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review account provisioning logs | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review administrator assignments weekly | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review audit data | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review cloud identity report overview | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review controlled folder access events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review exploit protection events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review file and folder activity | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review role group changes weekly | 1.1.0 |
| Risk Assessment | RA-5 (10) | Correlate Scanning Information | Correlate Vulnerability scan information | 1.1.1 |
| System And Services Acquisition | SA-1 | System And Services Acquisition Policy And Procedures | Review and update system and services acquisition policies and procedures | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Align business objectives and IT goals | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Allocate resources in determining information system requirements | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Establish a discrete line item in budgeting documentation | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Establish a privacy program | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Govern the allocation of resources | 1.1.0 |
| System And Services Acquisition | SA-2 | Allocation Of Resources | Secure commitment from leadership | 1.1.0 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Define information security roles and responsibilities | 1.1.0 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Identify individuals with security roles and responsibilities | 1.1.1 |
| System And Services Acquisition | SA-3 | System Development Life Cycle | Integrate risk management process into SDLC | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Determine supplier contract obligations | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document acquisition contract acceptance criteria | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document protection of personal data in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document protection of security information in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document requirements for the use of shared data in contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security assurance requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security documentation requirements in acquisition contract | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security functional requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document security strength requirements in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document the information system environment in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-4 | Acquisition Process | Document the protection of cardholder data in third party contracts | 1.1.0 |
| System And Services Acquisition | SA-4 (1) | Functional Properties Of Security Controls | Obtain functional properties of security controls | 1.1.0 |
| System And Services Acquisition | SA-4 (2) | Design / Implementation Information For Security Controls | Obtain design and implementation information for the security controls | 1.1.1 |
| System And Services Acquisition | SA-4 (8) | Continuous Monitoring Plan | Obtain continuous monitoring plan for security controls | 1.1.0 |
| System And Services Acquisition | SA-4 (9) | Functions / Ports / Protocols / Services In Use | Require developer to identify SDLC ports, protocols, and services | 1.1.0 |
| System And Services Acquisition | SA-4 (10) | Use Of Approved Piv Products | Employ FIPS 201-approved technology for PIV | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Distribute information system documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Document customer-defined actions | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Obtain Admin documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Obtain user security function documentation | 1.1.0 |
| System And Services Acquisition | SA-5 | Information System Documentation | Protect administrator and user documentation | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Define and document government oversight | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Require external service providers to comply with security requirements | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| System And Services Acquisition | SA-9 | External Information System Services | Undergo independent security review | 1.1.0 |
| System And Services Acquisition | SA-9 (1) | Risk Assessments / Organizational Approvals | Assess risk in third party relationships | 1.1.0 |
| System And Services Acquisition | SA-9 (1) | Risk Assessments / Organizational Approvals | Obtain approvals for acquisitions and outsourcing | 1.1.0 |
| System And Services Acquisition | SA-9 (2) | Identification Of Functions / Ports / Protocols / Services | Identify external service providers | 1.1.0 |
| System And Services Acquisition | SA-9 (4) | Consistent Interests Of Consumers And Providers | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| System And Services Acquisition | SA-9 (5) | Processing, Storage, And Service Location | Restrict location of information processing, storage and services | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Address coding vulnerabilities | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Develop and document application security requirements | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Document the information system environment in acquisition contracts | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Establish a secure software development program | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Perform vulnerability scans | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Remediate information system flaws | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to document approved changes and potential impact | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to implement only approved changes | 1.1.0 |
| System And Services Acquisition | SA-10 | Developer Configuration Management | Require developers to manage change integrity | 1.1.0 |
| System And Services Acquisition | SA-10 (1) | Software / Firmware Integrity Verification | Verify software, firmware and information integrity | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Perform vulnerability scans | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Remediate information system flaws | 1.1.0 |
| System And Services Acquisition | SA-11 | Developer Security Testing And Evaluation | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| System And Services Acquisition | SA-12 | Supply Chain Protection | Assess risk in third party relationships | 1.1.0 |
| System And Services Acquisition | SA-12 | Supply Chain Protection | Define requirements for supplying goods and services | 1.1.0 |
| System And Services Acquisition | SA-12 | Supply Chain Protection | Determine supplier contract obligations | 1.1.0 |
| System And Services Acquisition | SA-12 | Supply Chain Protection | Establish policies for supply chain risk management | 1.1.0 |
| System And Services Acquisition | SA-15 | Development Process, Standards, And Tools | Review development process, standards and tools | 1.1.0 |
| System And Services Acquisition | SA-16 | Developer-Provided Training | Require developers to provide training | 1.1.0 |
| System And Services Acquisition | SA-17 | Developer Security Architecture And Design | Require developers to build security architecture | 1.1.0 |
| System And Services Acquisition | SA-17 | Developer Security Architecture And Design | Require developers to describe accurate security functionality | 1.1.0 |
| System And Services Acquisition | SA-17 | Developer Security Architecture And Design | Require developers to provide unified security protection approach | 1.1.0 |
| System And Communications Protection | SC-1 | System And Communications Protection Policy And Procedures | Review and update system and communications protection policies and procedures | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Authorize remote access | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Separate user and information system management functionality | 1.1.0 |
| System And Communications Protection | SC-2 | Application Partitioning | Use dedicated machines for administrative tasks | 1.1.0 |
| System And Communications Protection | SC-3 | Security Function Isolation | Azure Defender for servers should be enabled | 1.0.3 |
| System And Communications Protection | SC-5 | Denial Of Service Protection | Develop and document a DDoS response plan | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Govern the allocation of resources | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Manage availability and capacity | 1.1.0 |
| System And Communications Protection | SC-6 | Resource Availability | Secure commitment from leadership | 1.1.0 |
| System And Communications Protection | SC-7 | Boundary Protection | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Implement managed interface for each external service | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (4) | External Telecommunications Services | Secure the interface to external systems | 1.1.0 |
| System And Communications Protection | SC-7 (7) | Prevent Split Tunneling For Remote Devices | Prevent split tunneling for remote devices | 1.1.0 |
| System And Communications Protection | SC-7 (8) | Route Traffic To Authenticated Proxy Servers | Route traffic through authenticated proxy network | 1.1.0 |
| System And Communications Protection | SC-7 (12) | Host-Based Protection | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (13) | Isolation Of Security Tools / Mechanisms / Support Components | Isolate SecurID systems, Security Incident Management systems | 1.1.0 |
| System And Communications Protection | SC-7 (18) | Fail Secure | Implement system boundary protection | 1.1.0 |
| System And Communications Protection | SC-7 (18) | Fail Secure | Manage transfers between standby and active system components | 1.1.0 |
| System And Communications Protection | SC-7 (20) | Dynamic Isolation / Segregation | Ensure system capable of dynamic isolation of resources | 1.1.0 |
| System And Communications Protection | SC-7 (21) | Isolation Of Information System Components | Employ boundary protection to isolate information systems | 1.1.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Protect data in transit using encryption | 1.1.0 |
| System And Communications Protection | SC-8 | Transmission Confidentiality And Integrity | Protect passwords with encryption | 1.1.0 |
| System And Communications Protection | SC-8 (1) | Cryptographic Or Alternate Physical Protection | Configure workstations to check for digital certificates | 1.1.0 |
| System And Communications Protection | SC-10 | Network Disconnect | Reauthenticate or terminate a user session | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define a physical key management process | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define cryptographic use | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Define organizational requirements for cryptographic key management | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Determine assertion requirements | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Issue public key certificates | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Manage symmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-12 | Cryptographic Key Establishment And Management | Restrict access to private keys | 1.1.0 |
| System And Communications Protection | SC-12 (1) | Availability | Maintain availability of information | 1.1.0 |
| System And Communications Protection | SC-12 (2) | Symmetric Keys | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-12 (3) | Asymmetric Keys | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| System And Communications Protection | SC-13 | Cryptographic Protection | Define cryptographic use | 1.1.0 |
| System And Communications Protection | SC-15 | Collaborative Computing Devices | Explicitly notify use of collaborative computing devices | 1.1.1 |
| System And Communications Protection | SC-15 | Collaborative Computing Devices | Prohibit remote activation of collaborative computing devices | 1.1.0 |
| System And Communications Protection | SC-17 | Public Key Infrastructure Certificates | Issue public key certificates | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-18 | Mobile Code | Establish usage restrictions for mobile code technologies | 1.1.0 |
| System And Communications Protection | SC-19 | Voice Over Internet Protocol | Authorize, monitor, and control voip | 1.1.0 |
| System And Communications Protection | SC-19 | Voice Over Internet Protocol | Establish voip usage restrictions | 1.1.0 |
| System And Communications Protection | SC-20 | Secure Name /Address Resolution Service (Authoritative Source) | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-20 | Secure Name /Address Resolution Service (Authoritative Source) | Provide secure name and address resolution services | 1.1.0 |
| System And Communications Protection | SC-21 | Secure Name /Address Resolution Service (Recursive Or Caching Resolver) | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-21 | Secure Name /Address Resolution Service (Recursive Or Caching Resolver) | Verify software, firmware and information integrity | 1.1.0 |
| System And Communications Protection | SC-22 | Architecture And Provisioning For Name/Address Resolution Service | Implement a fault tolerant name/address service | 1.1.0 |
| System And Communications Protection | SC-23 | Session Authenticity | Configure workstations to check for digital certificates | 1.1.0 |
| System And Communications Protection | SC-23 | Session Authenticity | Enforce random unique session identifiers | 1.1.0 |
| System And Communications Protection | SC-23 (1) | Invalidate Session Identifiers At Logout | Invalidate session identifiers at logout | 1.1.0 |
| System And Communications Protection | SC-24 | Fail In Known State | Ensure information system fails in known state | 1.1.0 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | Establish a data leakage management procedure | 1.1.0 |
| System And Communications Protection | SC-28 | Protection Of Information At Rest | Protect special information | 1.1.0 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | Implement controls to secure all media | 1.1.0 |
| System And Communications Protection | SC-28 (1) | Cryptographic Protection | Protect data in transit using encryption | 1.1.0 |
| System And Communications Protection | SC-39 | Process Isolation | Maintain separate execution domains for running processes | 1.1.0 |
| System And Information Integrity | SI-1 | System And Information Integrity Policy And Procedures | Review and update information integrity policies and procedures | 1.1.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for App Service should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-2 | Flaw Remediation | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System And Information Integrity | SI-2 | Flaw Remediation | Incorporate flaw remediation into configuration management | 1.1.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System And Information Integrity | SI-2 | Flaw Remediation | Remediate information system flaws | 1.1.0 |
| System And Information Integrity | SI-2 (2) | Automated Flaw Remediation Status | Automate flaw remediation | 1.1.0 |
| System And Information Integrity | SI-2 (2) | Automated Flaw Remediation Status | Remediate information system flaws | 1.1.0 |
| System And Information Integrity | SI-2 (3) | Time To Remediate Flaws / Benchmarks For Corrective Actions | Establish benchmarks for flaw remediation | 1.1.0 |
| System And Information Integrity | SI-2 (3) | Time To Remediate Flaws / Benchmarks For Corrective Actions | Measure the time between flaw identification and flaw remediation | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Review threat protection status weekly | 1.1.0 |
| System And Information Integrity | SI-3 | Malicious Code Protection | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-3 (1) | Central Management | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (1) | Central Management | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (2) | Automatic Updates | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Perform vulnerability scans | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Review malware detections report weekly | 1.1.0 |
| System And Information Integrity | SI-3 (7) | Nonsignature-Based Detection | Update antivirus definitions | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| System And Information Integrity | SI-4 | Information System Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System And Information Integrity | SI-4 | Information System Monitoring | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Obtain legal opinion for monitoring system activities | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Perform a trend analysis on threats | 1.1.0 |
| System And Information Integrity | SI-4 | Information System Monitoring | Provide monitoring information as needed | 1.1.0 |
| System And Information Integrity | SI-4 (2) | Automated Tools For Real-Time Analysis | Document security operations | 1.1.0 |
| System And Information Integrity | SI-4 (2) | Automated Tools For Real-Time Analysis | Turn on sensors for endpoint security solution | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Authorize, monitor, and control voip | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Implement system boundary protection | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Manage gateways | 1.1.0 |
| System And Information Integrity | SI-4 (4) | Inbound And Outbound Communications Traffic | Route traffic through managed network access points | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Alert personnel of information spillage | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Develop an incident response plan | 1.1.0 |
| System And Information Integrity | SI-4 (5) | System-Generated Alerts | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| System And Information Integrity | SI-4 (12) | Automated Alerts | Email notification for high severity alerts should be enabled | 1.1.0 |
| System And Information Integrity | SI-4 (12) | Automated Alerts | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| System And Information Integrity | SI-4 (12) | Automated Alerts | Subscriptions should have a contact email address for security issues | 1.0.1 |
| System And Information Integrity | SI-4 (14) | Wireless Intrusion Detection | Document wireless access security controls | 1.1.0 |
| System And Information Integrity | SI-4 (22) | Unauthorized Network Services | Detect network services that have not been authorized or approved | 1.1.0 |
| System And Information Integrity | SI-4 (24) | Indicators Of Compromise | Discover any indicators of compromise | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Disseminate security alerts to personnel | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Establish a threat intelligence program | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Generate internal security alerts | 1.1.0 |
| System And Information Integrity | SI-5 | Security Alerts, Advisories, And Directives | Implement security directives | 1.1.0 |
| System And Information Integrity | SI-5 (1) | Automated Alerts And Advisories | Use automated mechanisms for security alerts | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Create alternative actions for identified anomalies | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Notify personnel of any failed security verification tests | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Perform security function verification at a defined frequency | 1.1.0 |
| System And Information Integrity | SI-6 | Security Function Verification | Verify security functions | 1.1.0 |
| System And Information Integrity | SI-7 | Software, Firmware, And Information Integrity | Verify software, firmware and information integrity | 1.1.0 |
| System And Information Integrity | SI-7 (1) | Integrity Checks | Verify software, firmware and information integrity | 1.1.0 |
| System And Information Integrity | SI-7 (1) | Integrity Checks | View and configure system diagnostic data | 1.1.0 |
| System And Information Integrity | SI-7 (5) | Automated Response To Integrity Violations | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| System And Information Integrity | SI-7 (14) | Binary Or Machine Executable Code | Prohibit binary/machine-executable code | 1.1.0 |
| System And Information Integrity | SI-10 | Information Input Validation | Perform information input validation | 1.1.0 |
| System And Information Integrity | SI-11 | Error Handling | Generate error messages | 1.1.0 |
| System And Information Integrity | SI-11 | Error Handling | Reveal error messages | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Control physical access | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Manage the input, output, processing, and storage of data | 1.1.0 |
| System And Information Integrity | SI-12 | Information Handling And Retention | Review label activity and analytics | 1.1.0 |
| System And Information Integrity | SI-16 | Memory Protection | Azure Defender for servers should be enabled | 1.0.3 |
NIST SP 800-53 Rev. 5
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC-1 | Policy and Procedures | Develop access control policies and procedures | 1.1.0 |
| Access Control | AC-1 | Policy and Procedures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-1 | Policy and Procedures | Govern policies and procedures | 1.1.0 |
| Access Control | AC-1 | Policy and Procedures | Review access control policies and procedures | 1.1.0 |
| Access Control | AC-2 | Account Management | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-2 | Account Management | Assign account managers | 1.1.0 |
| Access Control | AC-2 | Account Management | Audit user account status | 1.1.0 |
| Access Control | AC-2 | Account Management | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Define information system account types | 1.1.0 |
| Access Control | AC-2 | Account Management | Document access privileges | 1.1.0 |
| Access Control | AC-2 | Account Management | Establish conditions for role membership | 1.1.0 |
| Access Control | AC-2 | Account Management | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Access Control | AC-2 | Account Management | Monitor account activity | 1.1.0 |
| Access Control | AC-2 | Account Management | Notify Account Managers of customer controlled accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Require approval for account creation | 1.1.0 |
| Access Control | AC-2 | Account Management | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-2 | Account Management | Review account provisioning logs | 1.1.0 |
| Access Control | AC-2 | Account Management | Review user accounts | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Automate account management | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Manage system and admin accounts | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Monitor access across the organization | 1.1.0 |
| Access Control | AC-2 (1) | Automated System Account Management | Notify when account is not needed | 1.1.0 |
| Access Control | AC-2 (3) | Disable Accounts | Disable authenticators upon termination | 1.1.0 |
| Access Control | AC-2 (3) | Disable Accounts | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Audit user account status | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Automate account management | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Manage system and admin accounts | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Monitor access across the organization | 1.1.0 |
| Access Control | AC-2 (4) | Automated Audit Actions | Notify when account is not needed | 1.1.0 |
| Access Control | AC-2 (5) | Inactivity Logout | Define and enforce inactivity log policy | 1.1.0 |
| Access Control | AC-2 (7) | Privileged User Accounts | Audit privileged functions | 1.1.0 |
| Access Control | AC-2 (7) | Privileged User Accounts | Monitor account activity | 1.1.0 |
| Access Control | AC-2 (7) | Privileged User Accounts | Monitor privileged role assignment | 1.1.0 |
| Access Control | AC-2 (7) | Privileged User Accounts | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-2 (7) | Privileged User Accounts | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-2 (7) | Privileged User Accounts | Use privileged identity management | 1.1.0 |
| Access Control | AC-2 (9) | Restrictions on Use of Shared and Group Accounts | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Access Control | AC-2 (11) | Usage Conditions | Enforce appropriate usage of all accounts | 1.1.0 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Azure Defender for App Service should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Azure Defender for servers should be enabled | 1.0.3 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Monitor account activity | 1.1.0 |
| Access Control | AC-2 (12) | Account Monitoring for Atypical Usage | Report atypical behavior of user accounts | 1.1.0 |
| Access Control | AC-2 (13) | Disable Accounts for High-risk Individuals | Disable user accounts posing a significant risk | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Access Control | AC-3 | Access Enforcement | Authorize access to security functions and information | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Authorize and manage access | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Enforce logical access | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Require approval for account creation | 1.1.0 |
| Access Control | AC-3 | Access Enforcement | Review user groups and applications with access to sensitive data | 1.1.0 |
| Access Control | AC-4 | Information Flow Enforcement | Control information flow | 1.1.0 |
| Access Control | AC-4 | Information Flow Enforcement | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Access Control | AC-4 (8) | Security and Privacy Policy Filters | Information flow control using security policy filters | 1.1.0 |
| Access Control | AC-4 (21) | Physical or Logical Separation of Information Flows | Control information flow | 1.1.0 |
| Access Control | AC-4 (21) | Physical or Logical Separation of Information Flows | Establish firewall and router configuration standards | 1.1.0 |
| Access Control | AC-4 (21) | Physical or Logical Separation of Information Flows | Establish network segmentation for card holder data environment | 1.1.0 |
| Access Control | AC-4 (21) | Physical or Logical Separation of Information Flows | Identify and manage downstream information exchanges | 1.1.0 |
| Access Control | AC-5 | Separation of Duties | Define access authorizations to support separation of duties | 1.1.0 |
| Access Control | AC-5 | Separation of Duties | Document separation of duties | 1.1.0 |
| Access Control | AC-5 | Separation of Duties | Separate duties of individuals | 1.1.0 |
| Access Control | AC-5 | Separation of Duties | There should be more than one owner assigned to your subscription | 3.0.0 |
| Access Control | AC-6 | Least Privilege | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-6 | Least Privilege | Design an access control model | 1.1.0 |
| Access Control | AC-6 | Least Privilege | Employ least privilege access | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access to Security Functions | Authorize access to security functions and information | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access to Security Functions | Authorize and manage access | 1.1.0 |
| Access Control | AC-6 (1) | Authorize Access to Security Functions | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Access Control | AC-6 (5) | Privileged Accounts | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-6 (7) | Review of User Privileges | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Access Control | AC-6 (7) | Review of User Privileges | Reassign or remove user privileges as needed | 1.1.0 |
| Access Control | AC-6 (7) | Review of User Privileges | Review user privileges | 1.1.0 |
| Access Control | AC-6 (8) | Privilege Levels for Code Execution | Enforce software execution privileges | 1.1.0 |
| Access Control | AC-6 (9) | Log Use of Privileged Functions | Audit privileged functions | 1.1.0 |
| Access Control | AC-6 (9) | Log Use of Privileged Functions | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Access Control | AC-6 (9) | Log Use of Privileged Functions | Monitor privileged role assignment | 1.1.0 |
| Access Control | AC-6 (9) | Log Use of Privileged Functions | Restrict access to privileged accounts | 1.1.0 |
| Access Control | AC-6 (9) | Log Use of Privileged Functions | Revoke privileged roles as appropriate | 1.1.0 |
| Access Control | AC-6 (9) | Log Use of Privileged Functions | Use privileged identity management | 1.1.0 |
| Access Control | AC-7 | Unsuccessful Logon Attempts | Enforce a limit of consecutive failed login attempts | 1.1.0 |
| Access Control | AC-10 | Concurrent Session Control | Define and enforce the limit of concurrent sessions | 1.1.0 |
| Access Control | AC-12 | Session Termination | Terminate user session automatically | 1.1.0 |
| Access Control | AC-12 (1) | User-initiated Logouts | Display an explicit logout message | 1.1.0 |
| Access Control | AC-12 (1) | User-initiated Logouts | Provide the logout capability | 1.1.0 |
| Access Control | AC-14 | Permitted Actions Without Identification or Authentication | Identify actions allowed without authentication | 1.1.0 |
| Access Control | AC-17 | Remote Access | Authorize remote access | 1.1.0 |
| Access Control | AC-17 | Remote Access | Document mobility training | 1.1.0 |
| Access Control | AC-17 | Remote Access | Document remote access guidelines | 1.1.0 |
| Access Control | AC-17 | Remote Access | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | AC-17 | Remote Access | Provide privacy training | 1.1.0 |
| Access Control | AC-17 (1) | Monitoring and Control | Monitor access across the organization | 1.1.0 |
| Access Control | AC-17 (2) | Protection of Confidentiality and Integrity Using Encryption | Notify users of system logon or access | 1.1.0 |
| Access Control | AC-17 (2) | Protection of Confidentiality and Integrity Using Encryption | Protect data in transit using encryption | 1.1.0 |
| Access Control | AC-17 (3) | Managed Access Control Points | Route traffic through managed network access points | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands and Access | Authorize remote access | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands and Access | Authorize remote access to privileged commands | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands and Access | Document remote access guidelines | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands and Access | Implement controls to secure alternate work sites | 1.1.0 |
| Access Control | AC-17 (4) | Privileged Commands and Access | Provide privacy training | 1.1.0 |
| Access Control | AC-17 (9) | Disconnect or Disable Access | Provide capability to disconnect or disable remote access | 1.1.0 |
| Access Control | AC-18 | Wireless Access | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | AC-18 | Wireless Access | Protect wireless access | 1.1.0 |
| Access Control | AC-18 (1) | Authentication and Encryption | Document and implement wireless access guidelines | 1.1.0 |
| Access Control | AC-18 (1) | Authentication and Encryption | Identify and authenticate network devices | 1.1.0 |
| Access Control | AC-18 (1) | Authentication and Encryption | Protect wireless access | 1.1.0 |
| Access Control | AC-19 | Access Control for Mobile Devices | Define mobile device requirements | 1.1.0 |
| Access Control | AC-19 (5) | Full Device or Container-based Encryption | Define mobile device requirements | 1.1.0 |
| Access Control | AC-19 (5) | Full Device or Container-based Encryption | Protect data in transit using encryption | 1.1.0 |
| Access Control | AC-20 | Use of External Systems | Establish terms and conditions for accessing resources | 1.1.0 |
| Access Control | AC-20 | Use of External Systems | Establish terms and conditions for processing resources | 1.1.0 |
| Access Control | AC-20 (1) | Limits on Authorized Use | Verify security controls for external information systems | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices ??? Restricted Use | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices ??? Restricted Use | Control use of portable storage devices | 1.1.0 |
| Access Control | AC-20 (2) | Portable Storage Devices ??? Restricted Use | Implement controls to secure all media | 1.1.0 |
| Access Control | AC-21 | Information Sharing | Automate information sharing decisions | 1.1.0 |
| Access Control | AC-21 | Information Sharing | Facilitate information sharing | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Designate authorized personnel to post publicly accessible information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Review content prior to posting publicly accessible information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Review publicly accessible content for nonpublic information | 1.1.0 |
| Access Control | AC-22 | Publicly Accessible Content | Train personnel on disclosure of nonpublic information | 1.1.0 |
| Awareness and Training | AT-1 | Policy and Procedures | Document security and privacy training activities | 1.1.0 |
| Awareness and Training | AT-1 | Policy and Procedures | Update information security policies | 1.1.0 |
| Awareness and Training | AT-2 | Literacy Training and Awareness | Provide periodic security awareness training | 1.1.0 |
| Awareness and Training | AT-2 | Literacy Training and Awareness | Provide security training for new users | 1.1.0 |
| Awareness and Training | AT-2 | Literacy Training and Awareness | Provide updated security awareness training | 1.1.0 |
| Awareness and Training | AT-2 (2) | Insider Threat | Provide security awareness training for insider threats | 1.1.0 |
| Awareness and Training | AT-3 | Role-based Training | Provide periodic role-based security training | 1.1.0 |
| Awareness and Training | AT-3 | Role-based Training | Provide role-based security training | 1.1.0 |
| Awareness and Training | AT-3 | Role-based Training | Provide security training before providing access | 1.1.0 |
| Awareness and Training | AT-3 (3) | Practical Exercises | Provide role-based practical exercises | 1.1.0 |
| Awareness and Training | AT-4 | Training Records | Document security and privacy training activities | 1.1.0 |
| Awareness and Training | AT-4 | Training Records | Monitor security and privacy training completion | 1.1.0 |
| Awareness and Training | AT-4 | Training Records | Retain training records | 1.1.0 |
| Audit and Accountability | AU-1 | Policy and Procedures | Develop audit and accountability policies and procedures | 1.1.0 |
| Audit and Accountability | AU-1 | Policy and Procedures | Develop information security policies and procedures | 1.1.0 |
| Audit and Accountability | AU-1 | Policy and Procedures | Govern policies and procedures | 1.1.0 |
| Audit and Accountability | AU-1 | Policy and Procedures | Update information security policies | 1.1.0 |
| Audit and Accountability | AU-2 | Event Logging | Determine auditable events | 1.1.0 |
| Audit and Accountability | AU-3 | Content of Audit Records | Determine auditable events | 1.1.0 |
| Audit and Accountability | AU-3 (1) | Additional Audit Information | Configure Azure Audit capabilities | 1.1.1 |
| Audit and Accountability | AU-4 | Audit Log Storage Capacity | Govern and monitor audit processing activities | 1.1.0 |
| Audit and Accountability | AU-5 | Response to Audit Logging Process Failures | Govern and monitor audit processing activities | 1.1.0 |
| Audit and Accountability | AU-5 (2) | Real-time Alerts | Provide real-time alerts for audit event failures | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Correlate audit records | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Establish requirements for audit review and reporting | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Integrate cloud app security with a siem | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Review account provisioning logs | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Review administrator assignments weekly | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Review audit data | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Review cloud identity report overview | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Review controlled folder access events | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Review file and folder activity | 1.1.0 |
| Audit and Accountability | AU-6 | Audit Record Review, Analysis, and Reporting | Review role group changes weekly | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Correlate audit records | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Establish requirements for audit review and reporting | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Integrate audit review, analysis, and reporting | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Integrate cloud app security with a siem | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Review account provisioning logs | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Review administrator assignments weekly | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Review audit data | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Review cloud identity report overview | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Review controlled folder access events | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Review file and folder activity | 1.1.0 |
| Audit and Accountability | AU-6 (1) | Automated Process Integration | Review role group changes weekly | 1.1.0 |
| Audit and Accountability | AU-6 (3) | Correlate Audit Record Repositories | Correlate audit records | 1.1.0 |
| Audit and Accountability | AU-6 (3) | Correlate Audit Record Repositories | Integrate cloud app security with a siem | 1.1.0 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 (4) | Central Review and Analysis | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Integrate Audit record analysis | 1.1.0 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 (5) | Integrated Analysis of Audit Records | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | AU-6 (7) | Permitted Actions | Specify permitted actions associated with customer audit information | 1.1.0 |
| Audit and Accountability | AU-7 | Audit Record Reduction and Report Generation | Ensure audit records are not altered | 1.1.0 |
| Audit and Accountability | AU-7 | Audit Record Reduction and Report Generation | Provide audit review, analysis, and reporting capability | 1.1.0 |
| Audit and Accountability | AU-7 (1) | Automatic Processing | Provide capability to process customer-controlled audit records | 1.1.0 |
| Audit and Accountability | AU-8 | Time Stamps | Use system clocks for audit records | 1.1.0 |
| Audit and Accountability | AU-9 | Protection of Audit Information | Enable dual or joint authorization | 1.1.0 |
| Audit and Accountability | AU-9 | Protection of Audit Information | Protect audit information | 1.1.0 |
| Audit and Accountability | AU-9 (2) | Store on Separate Physical Systems or Components | Establish backup policies and procedures | 1.1.0 |
| Audit and Accountability | AU-9 (3) | Cryptographic Protection | Maintain integrity of audit system | 1.1.0 |
| Audit and Accountability | AU-9 (4) | Access by Subset of Privileged Users | Protect audit information | 1.1.0 |
| Audit and Accountability | AU-10 | Non-repudiation | Establish electronic signature and certificate requirements | 1.1.0 |
| Audit and Accountability | AU-11 | Audit Record Retention | Adhere to retention periods defined | 1.1.0 |
| Audit and Accountability | AU-11 | Audit Record Retention | Retain security policies and procedures | 1.1.0 |
| Audit and Accountability | AU-11 | Audit Record Retention | Retain terminated user data | 1.1.0 |
| Audit and Accountability | AU-12 | Audit Record Generation | Audit privileged functions | 1.1.0 |
| Audit and Accountability | AU-12 | Audit Record Generation | Audit user account status | 1.1.0 |
| Audit and Accountability | AU-12 | Audit Record Generation | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit and Accountability | AU-12 | Audit Record Generation | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | AU-12 | Audit Record Generation | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | AU-12 | Audit Record Generation | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | AU-12 | Audit Record Generation | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | AU-12 | Audit Record Generation | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | AU-12 | Audit Record Generation | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | AU-12 | Audit Record Generation | Determine auditable events | 1.1.0 |
| Audit and Accountability | AU-12 | Audit Record Generation | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | AU-12 | Audit Record Generation | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | AU-12 | Audit Record Generation | Review audit data | 1.1.0 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Azure Defender for App Service should be enabled | 1.0.3 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Azure Defender for servers should be enabled | 1.0.3 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Compile Audit records into system wide audit | 1.1.0 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Audit and Accountability | AU-12 (1) | System-wide and Time-correlated Audit Trail | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Audit and Accountability | AU-12 (3) | Changes by Authorized Individuals | Provide the capability to extend or limit auditing on customer-deployed resources | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-1 | Policy and Procedures | Review security assessment and authorization policies and procedures | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-2 | Control Assessments | Assess Security Controls | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-2 | Control Assessments | Deliver security assessment results | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-2 | Control Assessments | Develop security assessment plan | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-2 | Control Assessments | Produce Security Assessment report | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-2 (1) | Independent Assessors | Employ independent assessors to conduct security control assessments | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-2 (2) | Specialized Assessments | Select additional testing for security control assessments | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-2 (3) | Leveraging Results from External Organizations | Accept assessment results | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-3 | Information Exchange | Require interconnection security agreements | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-3 | Information Exchange | Update interconnection security agreements | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-5 | Plan of Action and Milestones | Develop POA&M | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-5 | Plan of Action and Milestones | Update POA&M items | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-6 | Authorization | Assign an authorizing official (AO) | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-6 | Authorization | Ensure resources are authorized | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-6 | Authorization | Update the security authorization | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-7 | Continuous Monitoring | Configure detection whitelist | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-7 | Continuous Monitoring | Turn on sensors for endpoint security solution | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-7 | Continuous Monitoring | Undergo independent security review | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-7 (1) | Independent Assessment | Employ independent assessors for continuous monitoring | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-7 (3) | Trend Analyses | Analyse data obtained from continuous monitoring | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-8 (1) | Independent Penetration Testing Agent or Team | Employ independent team for penetration testing | 1.1.0 |
| Assessment, Authorization, and Monitoring | CA-9 | Internal System Connections | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Configuration Management | CM-1 | Policy and Procedures | Review and update configuration management policies and procedures | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Establish a configuration control board | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-2 | Baseline Configuration | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support for Accuracy and Currency | Configure actions for noncompliant devices | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support for Accuracy and Currency | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support for Accuracy and Currency | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support for Accuracy and Currency | Establish a configuration control board | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support for Accuracy and Currency | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-2 (2) | Automation Support for Accuracy and Currency | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-2 (3) | Retention of Previous Configurations | Retain previous versions of baseline configs | 1.1.0 |
| Configuration Management | CM-2 (7) | Configure Systems and Components for High-risk Areas | Ensure security safeguards not needed when the individuals return | 1.1.0 |
| Configuration Management | CM-2 (7) | Configure Systems and Components for High-risk Areas | Not allow for information systems to accompany with individuals | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish a risk management strategy | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform a risk assessment | 1.1.0 |
| Configuration Management | CM-3 | Configuration Change Control | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Documentation, Notification, and Prohibition of Changes | Automate approval request for proposed changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Documentation, Notification, and Prohibition of Changes | Automate implementation of approved change notifications | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Documentation, Notification, and Prohibition of Changes | Automate process to document implemented changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Documentation, Notification, and Prohibition of Changes | Automate process to highlight unreviewed change proposals | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Documentation, Notification, and Prohibition of Changes | Automate process to prohibit implementation of unapproved changes | 1.1.0 |
| Configuration Management | CM-3 (1) | Automated Documentation, Notification, and Prohibition of Changes | Automate proposed documented changes | 1.1.0 |
| Configuration Management | CM-3 (2) | Testing, Validation, and Documentation of Changes | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-3 (2) | Testing, Validation, and Documentation of Changes | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-3 (2) | Testing, Validation, and Documentation of Changes | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-3 (4) | Security and Privacy Representatives | Assign information security representative to change control | 1.1.0 |
| Configuration Management | CM-3 (6) | Cryptography Management | Ensure cryptographic mechanisms are under configuration management | 1.1.0 |
| Configuration Management | CM-4 | Impact Analyses | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-4 | Impact Analyses | Develop and maintain a vulnerability management standard | 1.1.0 |
| Configuration Management | CM-4 | Impact Analyses | Establish a risk management strategy | 1.1.0 |
| Configuration Management | CM-4 | Impact Analyses | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-4 | Impact Analyses | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-4 | Impact Analyses | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-4 | Impact Analyses | Perform a risk assessment | 1.1.0 |
| Configuration Management | CM-4 | Impact Analyses | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Conduct a security impact analysis | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Establish configuration management requirements for developers | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Perform a privacy impact assessment | 1.1.0 |
| Configuration Management | CM-4 (1) | Separate Test Environments | Perform audit for configuration change control | 1.1.0 |
| Configuration Management | CM-5 | Access Restrictions for Change | Establish and document change control processes | 1.1.0 |
| Configuration Management | CM-5 (1) | Automated Access Enforcement and Audit Records | Enforce and audit access restrictions | 1.1.0 |
| Configuration Management | CM-5 (5) | Privilege Limitation for Production and Operation | Limit privileges to make changes in production environment | 1.1.0 |
| Configuration Management | CM-5 (5) | Privilege Limitation for Production and Operation | Review and reevaluate privileges | 1.1.0 |
| Configuration Management | CM-6 | Configuration Settings | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-6 | Configuration Settings | Remediate information system flaws | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Management, Application, and Verification | Enforce security configuration settings | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Management, Application, and Verification | Govern compliance of cloud service providers | 1.1.0 |
| Configuration Management | CM-6 (1) | Automated Management, Application, and Verification | View and configure system diagnostic data | 1.1.0 |
| Configuration Management | CM-7 | Least Functionality | Azure Defender for servers should be enabled | 1.0.3 |
| Configuration Management | CM-8 | System Component Inventory | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 | System Component Inventory | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | CM-8 (1) | Updates During Installation and Removal | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 (1) | Updates During Installation and Removal | Maintain records of processing of personal data | 1.1.0 |
| Configuration Management | CM-8 (3) | Automated Unauthorized Component Detection | Enable detection of network devices | 1.1.0 |
| Configuration Management | CM-8 (3) | Automated Unauthorized Component Detection | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Configuration Management | CM-8 (4) | Accountability Information | Create a data inventory | 1.1.0 |
| Configuration Management | CM-8 (4) | Accountability Information | Establish and maintain an asset inventory | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Create configuration plan protection | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop and maintain baseline configurations | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop configuration item identification plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Develop configuration management plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Establish and document a configuration management plan | 1.1.0 |
| Configuration Management | CM-9 | Configuration Management Plan | Implement an automated configuration management tool | 1.1.0 |
| Configuration Management | CM-10 | Software Usage Restrictions | Require compliance with intellectual property rights | 1.1.0 |
| Configuration Management | CM-10 | Software Usage Restrictions | Track software license usage | 1.1.0 |
| Configuration Management | CM-10 (1) | Open-source Software | Restrict use of open source software | 1.1.0 |
| Contingency Planning | CP-1 | Policy and Procedures | Review and update contingency planning policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Communicate contingency plan changes | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop contingency plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Develop contingency planning policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Distribute policies and procedures | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Review contingency plan | 1.1.0 |
| Contingency Planning | CP-2 | Contingency Plan | Update contingency plan | 1.1.0 |
| Contingency Planning | CP-2 (1) | Coordinate with Related Plans | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-2 (2) | Capacity Planning | Conduct capacity planning | 1.1.0 |
| Contingency Planning | CP-2 (3) | Resume Mission and Business Functions | Plan for resumption of essential business functions | 1.1.0 |
| Contingency Planning | CP-2 (5) | Continue Mission and Business Functions | Plan for continuance of essential business functions | 1.1.0 |
| Contingency Planning | CP-2 (8) | Identify Critical Assets | Perform a business impact assessment and application criticality assessment | 1.1.0 |
| Contingency Planning | CP-3 | Contingency Training | Provide contingency training | 1.1.0 |
| Contingency Planning | CP-3 (1) | Simulated Events | Incorporate simulated contingency training | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Initiate contingency plan testing corrective actions | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Review the results of contingency plan testing | 1.1.0 |
| Contingency Planning | CP-4 | Contingency Plan Testing | Test the business continuity and disaster recovery plan | 1.1.0 |
| Contingency Planning | CP-4 (1) | Coordinate with Related Plans | Coordinate contingency plans with related plans | 1.1.0 |
| Contingency Planning | CP-4 (2) | Alternate Processing Site | Evaluate alternate processing site capabilities | 1.1.0 |
| Contingency Planning | CP-4 (2) | Alternate Processing Site | Test contingency plan at an alternate processing location | 1.1.0 |
| Contingency Planning | CP-6 | Alternate Storage Site | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| Contingency Planning | CP-6 | Alternate Storage Site | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| Contingency Planning | CP-6 (1) | Separation from Primary Site | Create separate alternate and primary storage sites | 1.1.0 |
| Contingency Planning | CP-6 (2) | Recovery Time and Recovery Point Objectives | Establish alternate storage site that facilitates recovery operations | 1.1.0 |
| Contingency Planning | CP-6 (3) | Accessibility | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| Contingency Planning | CP-7 | Alternate Processing Site | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Contingency Planning | CP-7 | Alternate Processing Site | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (1) | Separation from Primary Site | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (2) | Accessibility | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (3) | Priority of Service | Establish an alternate processing site | 1.1.0 |
| Contingency Planning | CP-7 (3) | Priority of Service | Establish requirements for internet service providers | 1.1.0 |
| Contingency Planning | CP-7 (4) | Preparation for Use | Prepare alternate processing site for use as operational site | 1.1.0 |
| Contingency Planning | CP-8 (1) | Priority of Service Provisions | Establish requirements for internet service providers | 1.1.0 |
| Contingency Planning | CP-9 | System Backup | Conduct backup of information system documentation | 1.1.0 |
| Contingency Planning | CP-9 | System Backup | Establish backup policies and procedures | 1.1.0 |
| Contingency Planning | CP-9 | System Backup | Implement controls to secure all media | 1.1.0 |
| Contingency Planning | CP-9 (3) | Separate Storage for Critical Information | Separately store backup information | 1.1.0 |
| Contingency Planning | CP-9 (5) | Transfer to Alternate Storage Site | Transfer backup information to an alternate storage site | 1.1.0 |
| Contingency Planning | CP-10 | System Recovery and Reconstitution | Recover and reconstitute resources after any disruption | 1.1.1 |
| Contingency Planning | CP-10 (2) | Transaction Recovery | Implement transaction based recovery | 1.1.0 |
| Contingency Planning | CP-10 (4) | Restore Within Time Period | Restore resources to operational state | 1.1.1 |
| Identification and Authentication | IA-1 | Policy and Procedures | Review and update identification and authentication policies and procedures | 1.1.0 |
| Identification and Authentication | IA-2 | Identification and Authentication (organizational Users) | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA-2 | Identification and Authentication (organizational Users) | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA-2 | Identification and Authentication (organizational Users) | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA-2 | Identification and Authentication (organizational Users) | Enforce user uniqueness | 1.1.0 |
| Identification and Authentication | IA-2 | Identification and Authentication (organizational Users) | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification and Authentication | IA-2 (1) | Multi-factor Authentication to Privileged Accounts | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA-2 (1) | Multi-factor Authentication to Privileged Accounts | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA-2 (1) | Multi-factor Authentication to Privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification and Authentication | IA-2 (2) | Multi-factor Authentication to Non-privileged Accounts | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identification and Authentication | IA-2 (2) | Multi-factor Authentication to Non-privileged Accounts | Adopt biometric authentication mechanisms | 1.1.0 |
| Identification and Authentication | IA-2 (5) | Individual Authentication with Group Authentication | Require use of individual authenticators | 1.1.0 |
| Identification and Authentication | IA-2 (12) | Acceptance of PIV Credentials | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Identification and Authentication | IA-4 | Identifier Management | Assign system identifiers | 1.1.0 |
| Identification and Authentication | IA-4 | Identifier Management | Prevent identifier reuse for the defined time period | 1.1.0 |
| Identification and Authentication | IA-4 (4) | Identify User Status | Identify status of individual users | 1.1.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Establish authenticator types and processes | 1.1.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Implement training for protecting authenticators | 1.1.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Manage authenticator lifetime and reuse | 1.1.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Manage Authenticators | 1.1.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Refresh authenticators | 1.1.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Identification and Authentication | IA-5 | Authenticator Management | Verify identity before distributing authenticators | 1.1.0 |
| Identification and Authentication | IA-5 (1) | Password-based Authentication | Document security strength requirements in acquisition contracts | 1.1.0 |
| Identification and Authentication | IA-5 (1) | Password-based Authentication | Establish a password policy | 1.1.0 |
| Identification and Authentication | IA-5 (1) | Password-based Authentication | Implement parameters for memorized secret verifiers | 1.1.0 |
| Identification and Authentication | IA-5 (1) | Password-based Authentication | Protect passwords with encryption | 1.1.0 |
| Identification and Authentication | IA-5 (2) | Public Key-based Authentication | Bind authenticators and identities dynamically | 1.1.0 |
| Identification and Authentication | IA-5 (2) | Public Key-based Authentication | Establish authenticator types and processes | 1.1.0 |
| Identification and Authentication | IA-5 (2) | Public Key-based Authentication | Establish parameters for searching secret authenticators and verifiers | 1.1.0 |
| Identification and Authentication | IA-5 (2) | Public Key-based Authentication | Establish procedures for initial authenticator distribution | 1.1.0 |
| Identification and Authentication | IA-5 (2) | Public Key-based Authentication | Map authenticated identities to individuals | 1.1.0 |
| Identification and Authentication | IA-5 (2) | Public Key-based Authentication | Restrict access to private keys | 1.1.0 |
| Identification and Authentication | IA-5 (2) | Public Key-based Authentication | Verify identity before distributing authenticators | 1.1.0 |
| Identification and Authentication | IA-5 (6) | Protection of Authenticators | Ensure authorized users protect provided authenticators | 1.1.0 |
| Identification and Authentication | IA-5 (7) | No Embedded Unencrypted Static Authenticators | Ensure there are no unencrypted static authenticators | 1.1.0 |
| Identification and Authentication | IA-5 (13) | Expiration of Cached Authenticators | Enforce expiration of cached authenticators | 1.1.0 |
| Identification and Authentication | IA-6 | Authentication Feedback | Obscure feedback information during authentication process | 1.1.0 |
| Identification and Authentication | IA-7 | Cryptographic Module Authentication | Authenticate to cryptographic module | 1.1.0 |
| Identification and Authentication | IA-8 | Identification and Authentication (non-organizational Users) | Identify and authenticate non-organizational users | 1.1.0 |
| Identification and Authentication | IA-8 (1) | Acceptance of PIV Credentials from Other Agencies | Accept PIV credentials | 1.1.0 |
| Identification and Authentication | IA-8 (2) | Acceptance of External Authenticators | Accept only FICAM-approved third-party credentials | 1.1.0 |
| Identification and Authentication | IA-8 (4) | Use of Defined Profiles | Conform to FICAM-issued profiles | 1.1.0 |
| Incident Response | IR-1 | Policy and Procedures | Review and update incident response policies and procedures | 1.1.0 |
| Incident Response | IR-2 | Incident Response Training | Provide information spillage training | 1.1.0 |
| Incident Response | IR-2 (1) | Simulated Events | Incorporate simulated events into incident response training | 1.1.0 |
| Incident Response | IR-2 (2) | Automated Training Environments | Employ automated training environment | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Conduct incident response testing | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Establish an information security program | 1.1.0 |
| Incident Response | IR-3 | Incident Response Testing | Run simulation attacks | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination with Related Plans | Conduct incident response testing | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination with Related Plans | Establish an information security program | 1.1.0 |
| Incident Response | IR-3 (2) | Coordination with Related Plans | Run simulation attacks | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Assess information security events | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-4 | Incident Handling | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-4 | Incident Handling | Coordinate contingency plans with related plans | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Develop security safeguards | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-4 | Incident Handling | Enable network protection | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Maintain incident response plan | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Incident Response | IR-4 | Incident Handling | Perform a trend analysis on threats | 1.1.0 |
| Incident Response | IR-4 | Incident Handling | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-4 | Incident Handling | View and investigate restricted users | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Enable network protection | 1.1.0 |
| Incident Response | IR-4 (1) | Automated Incident Handling Processes | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 (2) | Dynamic Reconfiguration | Include dynamic reconfig of customer deployed resources | 1.1.0 |
| Incident Response | IR-4 (3) | Continuity of Operations | Identify classes of Incidents and Actions taken | 1.1.0 |
| Incident Response | IR-4 (4) | Information Correlation | Implement incident handling | 1.1.0 |
| Incident Response | IR-4 (6) | Insider Threats | Implement Incident handling capability | 1.1.0 |
| Incident Response | IR-4 (8) | Correlation with External Organizations | Coordinate with external organizations to achieve cross org perspective | 1.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| Incident Response | IR-5 | Incident Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Incident Response | IR-5 | Incident Monitoring | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-5 | Incident Monitoring | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Incident Response | IR-5 | Incident Monitoring | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-6 (1) | Automated Reporting | Document security operations | 1.1.0 |
| Incident Response | IR-6 (2) | Vulnerabilities Related to Incidents | Email notification for high severity alerts should be enabled | 1.1.0 |
| Incident Response | IR-6 (2) | Vulnerabilities Related to Incidents | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Incident Response | IR-6 (2) | Vulnerabilities Related to Incidents | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Incident Response | IR-7 | Incident Response Assistance | Document security operations | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support for Availability of Information and Support | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support for Availability of Information and Support | Enable network protection | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support for Availability of Information and Support | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support for Availability of Information and Support | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support for Availability of Information and Support | Implement incident handling | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support for Availability of Information and Support | Perform a trend analysis on threats | 1.1.0 |
| Incident Response | IR-7 (1) | Automation Support for Availability of Information and Support | View and investigate restricted users | 1.1.0 |
| Incident Response | IR-7 (2) | Coordination with External Providers | Establish relationship between incident response capability and external providers | 1.1.0 |
| Incident Response | IR-7 (2) | Coordination with External Providers | Identify incident response personnel | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Assess information security events | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Implement incident handling | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Maintain data breach records | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Maintain incident response plan | 1.1.0 |
| Incident Response | IR-8 | Incident Response Plan | Protect incident response plan | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Alert personnel of information spillage | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Develop an incident response plan | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Eradicate contaminated information | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Execute actions in response to information spills | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Identify contaminated systems and components | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Identify spilled information | 1.1.0 |
| Incident Response | IR-9 | Information Spillage Response | Isolate information spills | 1.1.0 |
| Incident Response | IR-9 (2) | Training | Provide information spillage training | 1.1.0 |
| Incident Response | IR-9 (3) | Post-spill Operations | Develop spillage response procedures | 1.1.0 |
| Incident Response | IR-9 (4) | Exposure to Unauthorized Personnel | Develop security safeguards | 1.1.0 |
| Maintenance | MA-1 | Policy and Procedures | Review and update system maintenance policies and procedures | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-2 | Controlled Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-2 (2) | Automated Maintenance Activities | Automate remote maintenance activities | 1.1.0 |
| Maintenance | MA-2 (2) | Automated Maintenance Activities | Produce complete records of remote maintenance activities | 1.1.0 |
| Maintenance | MA-3 | Maintenance Tools | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 | Maintenance Tools | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (1) | Inspect Tools | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (1) | Inspect Tools | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (2) | Inspect Media | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (2) | Inspect Media | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Control maintenance and repair activities | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-3 (3) | Prevent Unauthorized Removal | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 | Nonlocal Maintenance | Manage nonlocal maintenance and diagnostic activities | 1.1.0 |
| Maintenance | MA-4 (3) | Comparable Security and Sanitization | Perform all non-local maintenance | 1.1.0 |
| Maintenance | MA-4 (6) | Cryptographic Protection | Implement cryptographic mechanisms | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Designate personnel to supervise unauthorized maintenance activities | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Maintain list of authorized remote maintenance personnel | 1.1.0 |
| Maintenance | MA-5 | Maintenance Personnel | Manage maintenance personnel | 1.1.0 |
| Maintenance | MA-5 (1) | Individuals Without Appropriate Access | Employ a media sanitization mechanism | 1.1.0 |
| Maintenance | MA-5 (1) | Individuals Without Appropriate Access | Implement controls to secure all media | 1.1.0 |
| Maintenance | MA-6 | Timely Maintenance | Provide timely maintenance support | 1.1.0 |
| Media Protection | MP-1 | Policy and Procedures | Review and update media protection policies and procedures | 1.1.0 |
| Media Protection | MP-2 | Media Access | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-3 | Media Marking | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-4 | Media Storage | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-4 | Media Storage | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 | Media Transport | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-5 | Media Transport | Manage the transportation of assets | 1.1.0 |
| Media Protection | MP-6 | Media Sanitization | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 | Media Sanitization | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-6 (1) | Review, Approve, Track, Document, and Verify | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 (1) | Review, Approve, Track, Document, and Verify | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-6 (2) | Equipment Testing | Employ a media sanitization mechanism | 1.1.0 |
| Media Protection | MP-6 (2) | Equipment Testing | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 | Media Use | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Media Protection | MP-7 | Media Use | Control use of portable storage devices | 1.1.0 |
| Media Protection | MP-7 | Media Use | Implement controls to secure all media | 1.1.0 |
| Media Protection | MP-7 | Media Use | Restrict media use | 1.1.0 |
| Physical and Environmental Protection | PE-1 | Policy and Procedures | Review and update physical and environmental policies and procedures | 1.1.0 |
| Physical and Environmental Protection | PE-2 | Physical Access Authorizations | Control physical access | 1.1.0 |
| Physical and Environmental Protection | PE-3 | Physical Access Control | Control physical access | 1.1.0 |
| Physical and Environmental Protection | PE-3 | Physical Access Control | Define a physical key management process | 1.1.0 |
| Physical and Environmental Protection | PE-3 | Physical Access Control | Establish and maintain an asset inventory | 1.1.0 |
| Physical and Environmental Protection | PE-3 | Physical Access Control | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-4 | Access Control for Transmission | Control physical access | 1.1.0 |
| Physical and Environmental Protection | PE-4 | Access Control for Transmission | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-5 | Access Control for Output Devices | Control physical access | 1.1.0 |
| Physical and Environmental Protection | PE-5 | Access Control for Output Devices | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-5 | Access Control for Output Devices | Manage the input, output, processing, and storage of data | 1.1.0 |
| Physical and Environmental Protection | PE-6 (1) | Intrusion Alarms and Surveillance Equipment | Install an alarm system | 1.1.0 |
| Physical and Environmental Protection | PE-6 (1) | Intrusion Alarms and Surveillance Equipment | Manage a secure surveillance camera system | 1.1.0 |
| Physical and Environmental Protection | PE-8 | Visitor Access Records | Control physical access | 1.1.0 |
| Physical and Environmental Protection | PE-8 | Visitor Access Records | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-12 | Emergency Lighting | Employ automatic emergency lighting | 1.1.0 |
| Physical and Environmental Protection | PE-13 | Fire Protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-13 (1) | Detection Systems ??? Automatic Activation and Notification | Implement a penetration testing methodology | 1.1.0 |
| Physical and Environmental Protection | PE-13 (1) | Detection Systems ??? Automatic Activation and Notification | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-13 (1) | Detection Systems ??? Automatic Activation and Notification | Run simulation attacks | 1.1.0 |
| Physical and Environmental Protection | PE-13 (2) | Suppression Systems ??? Automatic Activation and Notification | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-14 | Environmental Controls | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-14 (2) | Monitoring with Alarms and Notifications | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-14 (2) | Monitoring with Alarms and Notifications | Install an alarm system | 1.1.0 |
| Physical and Environmental Protection | PE-15 | Water Damage Protection | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Physical and Environmental Protection | PE-16 | Delivery and Removal | Define requirements for managing assets | 1.1.0 |
| Physical and Environmental Protection | PE-16 | Delivery and Removal | Manage the transportation of assets | 1.1.0 |
| Physical and Environmental Protection | PE-17 | Alternate Work Site | Implement controls to secure alternate work sites | 1.1.0 |
| Physical and Environmental Protection | PE-18 | Location of System Components | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Planning | PL-1 | Policy and Procedures | Review and update planning policies and procedures | 1.1.0 |
| Planning | PL-2 | System Security and Privacy Plans | Develop and establish a system security plan | 1.1.0 |
| Planning | PL-2 | System Security and Privacy Plans | Develop information security policies and procedures | 1.1.0 |
| Planning | PL-2 | System Security and Privacy Plans | Develop SSP that meets criteria | 1.1.0 |
| Planning | PL-2 | System Security and Privacy Plans | Establish a privacy program | 1.1.0 |
| Planning | PL-2 | System Security and Privacy Plans | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Planning | PL-2 | System Security and Privacy Plans | Implement security engineering principles of information systems | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Develop acceptable use policies and procedures | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Develop organization code of conduct policy | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Document personnel acceptance of privacy requirements | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Enforce rules of behavior and access agreements | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Prohibit unfair practices | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Review and sign revised rules of behavior | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Update information security policies | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Update rules of behavior and access agreements | 1.1.0 |
| Planning | PL-4 | Rules of Behavior | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| Planning | PL-4 (1) | Social Media and External Site/application Usage Restrictions | Develop acceptable use policies and procedures | 1.1.0 |
| Planning | PL-8 | Security and Privacy Architectures | Develop a concept of operations (CONOPS) | 1.1.0 |
| Planning | PL-8 | Security and Privacy Architectures | Review and update the information security architecture | 1.1.0 |
| Personnel Security | PS-1 | Policy and Procedures | Review and update personnel security policies and procedures | 1.1.0 |
| Personnel Security | PS-2 | Position Risk Designation | Assign risk designations | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Clear personnel with access to classified information | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Implement personnel screening | 1.1.0 |
| Personnel Security | PS-3 | Personnel Screening | Rescreen individuals at a defined frequency | 1.1.0 |
| Personnel Security | PS-3 (3) | Information Requiring Special Protective Measures | Protect special information | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Conduct exit interview upon termination | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Disable authenticators upon termination | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Protect against and prevent data theft from departing employees | 1.1.0 |
| Personnel Security | PS-4 | Personnel Termination | Retain terminated user data | 1.1.0 |
| Personnel Security | PS-4 (2) | Automated Actions | Automate notification of employee termination | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Initiate transfer or reassignment actions | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Modify access authorizations upon personnel transfer | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Notify upon termination or transfer | 1.1.0 |
| Personnel Security | PS-5 | Personnel Transfer | Reevaluate access upon personnel transfer | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Document organizational access agreements | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Enforce rules of behavior and access agreements | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Ensure access agreements are signed or resigned timely | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Require users to sign access agreement | 1.1.0 |
| Personnel Security | PS-6 | Access Agreements | Update organizational access agreements | 1.1.0 |
| Personnel Security | PS-7 | External Personnel Security | Document third-party personnel security requirements | 1.1.0 |
| Personnel Security | PS-7 | External Personnel Security | Establish third-party personnel security requirements | 1.1.0 |
| Personnel Security | PS-7 | External Personnel Security | Monitor third-party provider compliance | 1.1.0 |
| Personnel Security | PS-7 | External Personnel Security | Require notification of third-party personnel transfer or termination | 1.1.0 |
| Personnel Security | PS-7 | External Personnel Security | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| Personnel Security | PS-8 | Personnel Sanctions | Implement formal sanctions process | 1.1.0 |
| Personnel Security | PS-8 | Personnel Sanctions | Notify personnel upon sanctions | 1.1.0 |
| Risk Assessment | RA-1 | Policy and Procedures | Review and update risk assessment policies and procedures | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Categorize information | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Develop business classification schemes | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Ensure security categorization is approved | 1.1.0 |
| Risk Assessment | RA-2 | Security Categorization | Review label activity and analytics | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct Risk Assessment | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct risk assessment and distribute its results | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Conduct risk assessment and document its results | 1.1.0 |
| Risk Assessment | RA-3 | Risk Assessment | Perform a risk assessment | 1.1.0 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Azure Defender for App Service should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Azure Defender for servers should be enabled | 1.0.3 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Microsoft Defender for Containers should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 | Vulnerability Monitoring and Scanning | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (2) | Update Vulnerabilities to Be Scanned | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (2) | Update Vulnerabilities to Be Scanned | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (3) | Breadth and Depth of Coverage | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (3) | Breadth and Depth of Coverage | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (4) | Discoverable Information | Take action in response to customer information | 1.1.0 |
| Risk Assessment | RA-5 (5) | Privileged Access | Implement privileged access for executing vulnerability scanning activities | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Observe and report security weaknesses | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform a trend analysis on threats | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform threat modeling | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | RA-5 (6) | Automated Trend Analyses | Remediate information system flaws | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Audit privileged functions | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Audit user account status | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Correlate audit records | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Determine auditable events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Establish requirements for audit review and reporting | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Integrate audit review, analysis, and reporting | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Integrate cloud app security with a siem | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review account provisioning logs | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review administrator assignments weekly | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review audit data | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review cloud identity report overview | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review controlled folder access events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review exploit protection events | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review file and folder activity | 1.1.0 |
| Risk Assessment | RA-5 (8) | Review Historic Audit Logs | Review role group changes weekly | 1.1.0 |
| Risk Assessment | RA-5 (10) | Correlate Scanning Information | Correlate Vulnerability scan information | 1.1.1 |
| System and Services Acquisition | SA-1 | Policy and Procedures | Review and update system and services acquisition policies and procedures | 1.1.0 |
| System and Services Acquisition | SA-2 | Allocation of Resources | Align business objectives and IT goals | 1.1.0 |
| System and Services Acquisition | SA-2 | Allocation of Resources | Allocate resources in determining information system requirements | 1.1.0 |
| System and Services Acquisition | SA-2 | Allocation of Resources | Establish a discrete line item in budgeting documentation | 1.1.0 |
| System and Services Acquisition | SA-2 | Allocation of Resources | Establish a privacy program | 1.1.0 |
| System and Services Acquisition | SA-2 | Allocation of Resources | Govern the allocation of resources | 1.1.0 |
| System and Services Acquisition | SA-2 | Allocation of Resources | Secure commitment from leadership | 1.1.0 |
| System and Services Acquisition | SA-3 | System Development Life Cycle | Define information security roles and responsibilities | 1.1.0 |
| System and Services Acquisition | SA-3 | System Development Life Cycle | Identify individuals with security roles and responsibilities | 1.1.1 |
| System and Services Acquisition | SA-3 | System Development Life Cycle | Integrate risk management process into SDLC | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Determine supplier contract obligations | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document acquisition contract acceptance criteria | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document protection of personal data in acquisition contracts | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document protection of security information in acquisition contracts | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document requirements for the use of shared data in contracts | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document security assurance requirements in acquisition contracts | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document security documentation requirements in acquisition contract | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document security functional requirements in acquisition contracts | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document security strength requirements in acquisition contracts | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document the information system environment in acquisition contracts | 1.1.0 |
| System and Services Acquisition | SA-4 | Acquisition Process | Document the protection of cardholder data in third party contracts | 1.1.0 |
| System and Services Acquisition | SA-4 (1) | Functional Properties of Controls | Obtain functional properties of security controls | 1.1.0 |
| System and Services Acquisition | SA-4 (2) | Design and Implementation Information for Controls | Obtain design and implementation information for the security controls | 1.1.1 |
| System and Services Acquisition | SA-4 (8) | Continuous Monitoring Plan for Controls | Obtain continuous monitoring plan for security controls | 1.1.0 |
| System and Services Acquisition | SA-4 (9) | Functions, Ports, Protocols, and Services in Use | Require developer to identify SDLC ports, protocols, and services | 1.1.0 |
| System and Services Acquisition | SA-4 (10) | Use of Approved PIV Products | Employ FIPS 201-approved technology for PIV | 1.1.0 |
| System and Services Acquisition | SA-5 | System Documentation | Distribute information system documentation | 1.1.0 |
| System and Services Acquisition | SA-5 | System Documentation | Document customer-defined actions | 1.1.0 |
| System and Services Acquisition | SA-5 | System Documentation | Obtain Admin documentation | 1.1.0 |
| System and Services Acquisition | SA-5 | System Documentation | Obtain user security function documentation | 1.1.0 |
| System and Services Acquisition | SA-5 | System Documentation | Protect administrator and user documentation | 1.1.0 |
| System and Services Acquisition | SA-9 | External System Services | Define and document government oversight | 1.1.0 |
| System and Services Acquisition | SA-9 | External System Services | Require external service providers to comply with security requirements | 1.1.0 |
| System and Services Acquisition | SA-9 | External System Services | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| System and Services Acquisition | SA-9 | External System Services | Undergo independent security review | 1.1.0 |
| System and Services Acquisition | SA-9 (1) | Risk Assessments and Organizational Approvals | Assess risk in third party relationships | 1.1.0 |
| System and Services Acquisition | SA-9 (1) | Risk Assessments and Organizational Approvals | Obtain approvals for acquisitions and outsourcing | 1.1.0 |
| System and Services Acquisition | SA-9 (2) | Identification of Functions, Ports, Protocols, and Services | Identify external service providers | 1.1.0 |
| System and Services Acquisition | SA-9 (4) | Consistent Interests of Consumers and Providers | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| System and Services Acquisition | SA-9 (5) | Processing, Storage, and Service Location | Restrict location of information processing, storage and services | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Address coding vulnerabilities | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Develop and document application security requirements | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Document the information system environment in acquisition contracts | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Establish a secure software development program | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Perform vulnerability scans | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Remediate information system flaws | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Require developers to document approved changes and potential impact | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Require developers to implement only approved changes | 1.1.0 |
| System and Services Acquisition | SA-10 | Developer Configuration Management | Require developers to manage change integrity | 1.1.0 |
| System and Services Acquisition | SA-10 (1) | Software and Firmware Integrity Verification | Verify software, firmware and information integrity | 1.1.0 |
| System and Services Acquisition | SA-11 | Developer Testing and Evaluation | Perform vulnerability scans | 1.1.0 |
| System and Services Acquisition | SA-11 | Developer Testing and Evaluation | Remediate information system flaws | 1.1.0 |
| System and Services Acquisition | SA-11 | Developer Testing and Evaluation | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| System and Services Acquisition | SA-15 | Development Process, Standards, and Tools | Review development process, standards and tools | 1.1.0 |
| System and Services Acquisition | SA-16 | Developer-provided Training | Require developers to provide training | 1.1.0 |
| System and Services Acquisition | SA-17 | Developer Security and Privacy Architecture and Design | Require developers to build security architecture | 1.1.0 |
| System and Services Acquisition | SA-17 | Developer Security and Privacy Architecture and Design | Require developers to describe accurate security functionality | 1.1.0 |
| System and Services Acquisition | SA-17 | Developer Security and Privacy Architecture and Design | Require developers to provide unified security protection approach | 1.1.0 |
| System and Communications Protection | SC-1 | Policy and Procedures | Review and update system and communications protection policies and procedures | 1.1.0 |
| System and Communications Protection | SC-2 | Separation of System and User Functionality | Authorize remote access | 1.1.0 |
| System and Communications Protection | SC-2 | Separation of System and User Functionality | Separate user and information system management functionality | 1.1.0 |
| System and Communications Protection | SC-2 | Separation of System and User Functionality | Use dedicated machines for administrative tasks | 1.1.0 |
| System and Communications Protection | SC-3 | Security Function Isolation | Azure Defender for servers should be enabled | 1.0.3 |
| System and Communications Protection | SC-5 | Denial-of-service Protection | Develop and document a DDoS response plan | 1.1.0 |
| System and Communications Protection | SC-6 | Resource Availability | Govern the allocation of resources | 1.1.0 |
| System and Communications Protection | SC-6 | Resource Availability | Manage availability and capacity | 1.1.0 |
| System and Communications Protection | SC-6 | Resource Availability | Secure commitment from leadership | 1.1.0 |
| System and Communications Protection | SC-7 | Boundary Protection | Implement system boundary protection | 1.1.0 |
| System and Communications Protection | SC-7 (4) | External Telecommunications Services | Implement managed interface for each external service | 1.1.0 |
| System and Communications Protection | SC-7 (4) | External Telecommunications Services | Implement system boundary protection | 1.1.0 |
| System and Communications Protection | SC-7 (4) | External Telecommunications Services | Secure the interface to external systems | 1.1.0 |
| System and Communications Protection | SC-7 (7) | Split Tunneling for Remote Devices | Prevent split tunneling for remote devices | 1.1.0 |
| System and Communications Protection | SC-7 (8) | Route Traffic to Authenticated Proxy Servers | Route traffic through authenticated proxy network | 1.1.0 |
| System and Communications Protection | SC-7 (12) | Host-based Protection | Implement system boundary protection | 1.1.0 |
| System and Communications Protection | SC-7 (13) | Isolation of Security Tools, Mechanisms, and Support Components | Isolate SecurID systems, Security Incident Management systems | 1.1.0 |
| System and Communications Protection | SC-7 (18) | Fail Secure | Implement system boundary protection | 1.1.0 |
| System and Communications Protection | SC-7 (18) | Fail Secure | Manage transfers between standby and active system components | 1.1.0 |
| System and Communications Protection | SC-7 (20) | Dynamic Isolation and Segregation | Ensure system capable of dynamic isolation of resources | 1.1.0 |
| System and Communications Protection | SC-7 (21) | Isolation of System Components | Employ boundary protection to isolate information systems | 1.1.0 |
| System and Communications Protection | SC-8 | Transmission Confidentiality and Integrity | Protect data in transit using encryption | 1.1.0 |
| System and Communications Protection | SC-8 | Transmission Confidentiality and Integrity | Protect passwords with encryption | 1.1.0 |
| System and Communications Protection | SC-8 (1) | Cryptographic Protection | Configure workstations to check for digital certificates | 1.1.0 |
| System and Communications Protection | SC-10 | Network Disconnect | Reauthenticate or terminate a user session | 1.1.0 |
| System and Communications Protection | SC-12 | Cryptographic Key Establishment and Management | Define a physical key management process | 1.1.0 |
| System and Communications Protection | SC-12 | Cryptographic Key Establishment and Management | Define cryptographic use | 1.1.0 |
| System and Communications Protection | SC-12 | Cryptographic Key Establishment and Management | Define organizational requirements for cryptographic key management | 1.1.0 |
| System and Communications Protection | SC-12 | Cryptographic Key Establishment and Management | Determine assertion requirements | 1.1.0 |
| System and Communications Protection | SC-12 | Cryptographic Key Establishment and Management | Issue public key certificates | 1.1.0 |
| System and Communications Protection | SC-12 | Cryptographic Key Establishment and Management | Manage symmetric cryptographic keys | 1.1.0 |
| System and Communications Protection | SC-12 | Cryptographic Key Establishment and Management | Restrict access to private keys | 1.1.0 |
| System and Communications Protection | SC-12 (1) | Availability | Maintain availability of information | 1.1.0 |
| System and Communications Protection | SC-12 (2) | Symmetric Keys | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| System and Communications Protection | SC-12 (3) | Asymmetric Keys | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| System and Communications Protection | SC-13 | Cryptographic Protection | Define cryptographic use | 1.1.0 |
| System and Communications Protection | SC-15 | Collaborative Computing Devices and Applications | Explicitly notify use of collaborative computing devices | 1.1.1 |
| System and Communications Protection | SC-15 | Collaborative Computing Devices and Applications | Prohibit remote activation of collaborative computing devices | 1.1.0 |
| System and Communications Protection | SC-17 | Public Key Infrastructure Certificates | Issue public key certificates | 1.1.0 |
| System and Communications Protection | SC-18 | Mobile Code | Authorize, monitor, and control usage of mobile code technologies | 1.1.0 |
| System and Communications Protection | SC-18 | Mobile Code | Define acceptable and unacceptable mobile code technologies | 1.1.0 |
| System and Communications Protection | SC-18 | Mobile Code | Establish usage restrictions for mobile code technologies | 1.1.0 |
| System and Communications Protection | SC-20 | Secure Name/address Resolution Service (authoritative Source) | Implement a fault tolerant name/address service | 1.1.0 |
| System and Communications Protection | SC-20 | Secure Name/address Resolution Service (authoritative Source) | Provide secure name and address resolution services | 1.1.0 |
| System and Communications Protection | SC-21 | Secure Name/address Resolution Service (recursive or Caching Resolver) | Implement a fault tolerant name/address service | 1.1.0 |
| System and Communications Protection | SC-21 | Secure Name/address Resolution Service (recursive or Caching Resolver) | Verify software, firmware and information integrity | 1.1.0 |
| System and Communications Protection | SC-22 | Architecture and Provisioning for Name/address Resolution Service | Implement a fault tolerant name/address service | 1.1.0 |
| System and Communications Protection | SC-23 | Session Authenticity | Configure workstations to check for digital certificates | 1.1.0 |
| System and Communications Protection | SC-23 | Session Authenticity | Enforce random unique session identifiers | 1.1.0 |
| System and Communications Protection | SC-23 (1) | Invalidate Session Identifiers at Logout | Invalidate session identifiers at logout | 1.1.0 |
| System and Communications Protection | SC-24 | Fail in Known State | Ensure information system fails in known state | 1.1.0 |
| System and Communications Protection | SC-28 | Protection of Information at Rest | Establish a data leakage management procedure | 1.1.0 |
| System and Communications Protection | SC-28 | Protection of Information at Rest | Protect special information | 1.1.0 |
| System and Communications Protection | SC-28 (1) | Cryptographic Protection | Implement controls to secure all media | 1.1.0 |
| System and Communications Protection | SC-28 (1) | Cryptographic Protection | Protect data in transit using encryption | 1.1.0 |
| System and Communications Protection | SC-39 | Process Isolation | Maintain separate execution domains for running processes | 1.1.0 |
| System and Information Integrity | SI-1 | Policy and Procedures | Review and update information integrity policies and procedures | 1.1.0 |
| System and Information Integrity | SI-2 | Flaw Remediation | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | SI-2 | Flaw Remediation | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System and Information Integrity | SI-2 | Flaw Remediation | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | SI-2 | Flaw Remediation | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | SI-2 | Flaw Remediation | Incorporate flaw remediation into configuration management | 1.1.0 |
| System and Information Integrity | SI-2 | Flaw Remediation | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | SI-2 | Flaw Remediation | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | SI-2 | Flaw Remediation | Remediate information system flaws | 1.1.0 |
| System and Information Integrity | SI-2 (2) | Automated Flaw Remediation Status | Automate flaw remediation | 1.1.0 |
| System and Information Integrity | SI-2 (2) | Automated Flaw Remediation Status | Remediate information system flaws | 1.1.0 |
| System and Information Integrity | SI-2 (3) | Time to Remediate Flaws and Benchmarks for Corrective Actions | Establish benchmarks for flaw remediation | 1.1.0 |
| System and Information Integrity | SI-2 (3) | Time to Remediate Flaws and Benchmarks for Corrective Actions | Measure the time between flaw identification and flaw remediation | 1.1.0 |
| System and Information Integrity | SI-3 | Malicious Code Protection | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | SI-3 | Malicious Code Protection | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| System and Information Integrity | SI-3 | Malicious Code Protection | Manage gateways | 1.1.0 |
| System and Information Integrity | SI-3 | Malicious Code Protection | Perform a trend analysis on threats | 1.1.0 |
| System and Information Integrity | SI-3 | Malicious Code Protection | Perform vulnerability scans | 1.1.0 |
| System and Information Integrity | SI-3 | Malicious Code Protection | Review malware detections report weekly | 1.1.0 |
| System and Information Integrity | SI-3 | Malicious Code Protection | Review threat protection status weekly | 1.1.0 |
| System and Information Integrity | SI-3 | Malicious Code Protection | Update antivirus definitions | 1.1.0 |
| System and Information Integrity | SI-4 | System Monitoring | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| System and Information Integrity | SI-4 | System Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| System and Information Integrity | SI-4 | System Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System and Information Integrity | SI-4 | System Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System and Information Integrity | SI-4 | System Monitoring | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System and Information Integrity | SI-4 | System Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| System and Information Integrity | SI-4 | System Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System and Information Integrity | SI-4 | System Monitoring | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System and Information Integrity | SI-4 | System Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System and Information Integrity | SI-4 | System Monitoring | Obtain legal opinion for monitoring system activities | 1.1.0 |
| System and Information Integrity | SI-4 | System Monitoring | Perform a trend analysis on threats | 1.1.0 |
| System and Information Integrity | SI-4 | System Monitoring | Provide monitoring information as needed | 1.1.0 |
| System and Information Integrity | SI-4 (2) | Automated Tools and Mechanisms for Real-time Analysis | Document security operations | 1.1.0 |
| System and Information Integrity | SI-4 (2) | Automated Tools and Mechanisms for Real-time Analysis | Turn on sensors for endpoint security solution | 1.1.0 |
| System and Information Integrity | SI-4 (4) | Inbound and Outbound Communications Traffic | Authorize, monitor, and control voip | 1.1.0 |
| System and Information Integrity | SI-4 (4) | Inbound and Outbound Communications Traffic | Implement system boundary protection | 1.1.0 |
| System and Information Integrity | SI-4 (4) | Inbound and Outbound Communications Traffic | Manage gateways | 1.1.0 |
| System and Information Integrity | SI-4 (4) | Inbound and Outbound Communications Traffic | Route traffic through managed network access points | 1.1.0 |
| System and Information Integrity | SI-4 (5) | System-generated Alerts | Alert personnel of information spillage | 1.1.0 |
| System and Information Integrity | SI-4 (5) | System-generated Alerts | Develop an incident response plan | 1.1.0 |
| System and Information Integrity | SI-4 (5) | System-generated Alerts | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| System and Information Integrity | SI-4 (12) | Automated Organization-generated Alerts | Email notification for high severity alerts should be enabled | 1.1.0 |
| System and Information Integrity | SI-4 (12) | Automated Organization-generated Alerts | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| System and Information Integrity | SI-4 (12) | Automated Organization-generated Alerts | Subscriptions should have a contact email address for security issues | 1.0.1 |
| System and Information Integrity | SI-4 (14) | Wireless Intrusion Detection | Document wireless access security controls | 1.1.0 |
| System and Information Integrity | SI-4 (22) | Unauthorized Network Services | Detect network services that have not been authorized or approved | 1.1.0 |
| System and Information Integrity | SI-4 (24) | Indicators of Compromise | Discover any indicators of compromise | 1.1.0 |
| System and Information Integrity | SI-5 | Security Alerts, Advisories, and Directives | Disseminate security alerts to personnel | 1.1.0 |
| System and Information Integrity | SI-5 | Security Alerts, Advisories, and Directives | Establish a threat intelligence program | 1.1.0 |
| System and Information Integrity | SI-5 | Security Alerts, Advisories, and Directives | Generate internal security alerts | 1.1.0 |
| System and Information Integrity | SI-5 | Security Alerts, Advisories, and Directives | Implement security directives | 1.1.0 |
| System and Information Integrity | SI-5 (1) | Automated Alerts and Advisories | Use automated mechanisms for security alerts | 1.1.0 |
| System and Information Integrity | SI-6 | Security and Privacy Function Verification | Create alternative actions for identified anomalies | 1.1.0 |
| System and Information Integrity | SI-6 | Security and Privacy Function Verification | Notify personnel of any failed security verification tests | 1.1.0 |
| System and Information Integrity | SI-6 | Security and Privacy Function Verification | Perform security function verification at a defined frequency | 1.1.0 |
| System and Information Integrity | SI-6 | Security and Privacy Function Verification | Verify security functions | 1.1.0 |
| System and Information Integrity | SI-7 | Software, Firmware, and Information Integrity | Verify software, firmware and information integrity | 1.1.0 |
| System and Information Integrity | SI-7 (1) | Integrity Checks | Verify software, firmware and information integrity | 1.1.0 |
| System and Information Integrity | SI-7 (1) | Integrity Checks | View and configure system diagnostic data | 1.1.0 |
| System and Information Integrity | SI-7 (5) | Automated Response to Integrity Violations | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| System and Information Integrity | SI-10 | Information Input Validation | Perform information input validation | 1.1.0 |
| System and Information Integrity | SI-11 | Error Handling | Generate error messages | 1.1.0 |
| System and Information Integrity | SI-11 | Error Handling | Reveal error messages | 1.1.0 |
| System and Information Integrity | SI-12 | Information Management and Retention | Control physical access | 1.1.0 |
| System and Information Integrity | SI-12 | Information Management and Retention | Manage the input, output, processing, and storage of data | 1.1.0 |
| System and Information Integrity | SI-12 | Information Management and Retention | Review label activity and analytics | 1.1.0 |
| System and Information Integrity | SI-16 | Memory Protection | Azure Defender for servers should be enabled | 1.0.3 |
NL BIO Cloud Theme
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| B.01.3 Laws and regulations - Legal, statutory, regulatory requirements | B.01.3 | The requirements applicable to the CSC arising from laws and regulations have been identified | Allowed locations for resource groups | 1.0.0 |
| B.10.2 Security organisation - Security function | B.10.2 | The security feature provides proactive support. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| B.10.2 Security organisation - Security function | B.10.2 | The security feature provides proactive support. | There should be more than one owner assigned to your subscription | 3.0.0 |
| B.10.3 Security organisation - Organisational position | B.10.3 | The CSP has given the information security organization a formal position within the entire organization. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| B.10.3 Security organisation - Organisational position | B.10.3 | The CSP has given the information security organization a formal position within the entire organization. | There should be more than one owner assigned to your subscription | 3.0.0 |
| B.10.4 Security organisation - Tasks, responsibilities and powers | B.10.4 | The CSP has described the responsibilities for information security and assigned them to specific officers. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| B.10.4 Security organisation - Tasks, responsibilities and powers | B.10.4 | The CSP has described the responsibilities for information security and assigned them to specific officers. | There should be more than one owner assigned to your subscription | 3.0.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Azure Defender for App Service should be enabled | 1.0.3 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Azure Defender for servers should be enabled | 1.0.3 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Azure Defender for App Service should be enabled | 1.0.3 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Azure Defender for servers should be enabled | 1.0.3 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Azure Defender for App Service should be enabled | 1.0.3 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Azure Defender for servers should be enabled | 1.0.3 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| C.05.5 Security Monitoring Reporting - Monitored and reported | C.05.5 | Demonstrably, follow-up is given to improvement proposals from analysis reports. | Email notification for high severity alerts should be enabled | 1.1.0 |
| C.05.5 Security Monitoring Reporting - Monitored and reported | C.05.5 | Demonstrably, follow-up is given to improvement proposals from analysis reports. | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| C.05.5 Security Monitoring Reporting - Monitored and reported | C.05.5 | Demonstrably, follow-up is given to improvement proposals from analysis reports. | Subscriptions should have a contact email address for security issues | 1.0.1 |
| U.03.1 Business Continuity Services - Redundancy | U.03.1 | The agreed continuity is guaranteed by sufficiently logical or physically multiple system functions. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.03.2 Business Continuity Services - Continuity requirements | U.03.2 | The continuity requirements for cloud services agreed with the CSC are ensured by the system architecture. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.04.1 Data and Cloud Service Recovery - Restore function | U.04.1 | The data and cloud services are restored within the agreed period and maximum data loss and made available to the CSC. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.04.2 Data and Cloud Service Recovery - Restore function | U.04.2 | The continuous process of recoverable protection of data is monitored. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.04.3 Data and Cloud Service Recovery - Tested | U.04.3 | The functioning of recovery functions is periodically tested and the results are shared with the CSC. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Azure Defender for App Service should be enabled | 1.0.3 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Azure Defender for servers should be enabled | 1.0.3 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | There should be more than one owner assigned to your subscription | 3.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Azure Defender for App Service should be enabled | 1.0.3 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Azure Defender for servers should be enabled | 1.0.3 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Microsoft Defender for Containers should be enabled | 1.0.0 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| U.17.1 Multi-tenant architecture - Encrypted | U.17.1 | CSC data on transport and at rest is encrypted. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| U.17.1 Multi-tenant architecture - Encrypted | U.17.1 | CSC data on transport and at rest is encrypted. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| U.17.1 Multi-tenant architecture - Encrypted | U.17.1 | CSC data on transport and at rest is encrypted. | There should be more than one owner assigned to your subscription | 3.0.0 |
PCI DSS 3.2.1
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.
PCI DSS v4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Requirement 01: Install and Maintain Network Security Controls | 1.1.1 | Processes and mechanisms for installing and maintaining network security controls are defined and understood | Review and update configuration management policies and procedures | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.1.1 | Processes and mechanisms for installing and maintaining network security controls are defined and understood | Review and update system and communications protection policies and procedures | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.1 | Network security controls (NSCs) are configured and maintained | Configure actions for noncompliant devices | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.1 | Network security controls (NSCs) are configured and maintained | Develop and maintain baseline configurations | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.1 | Network security controls (NSCs) are configured and maintained | Enforce security configuration settings | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.1 | Network security controls (NSCs) are configured and maintained | Establish a configuration control board | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.1 | Network security controls (NSCs) are configured and maintained | Establish and document a configuration management plan | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.1 | Network security controls (NSCs) are configured and maintained | Implement an automated configuration management tool | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.2 | Network security controls (NSCs) are configured and maintained | Conduct a security impact analysis | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.2 | Network security controls (NSCs) are configured and maintained | Develop and maintain a vulnerability management standard | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.2 | Network security controls (NSCs) are configured and maintained | Establish a risk management strategy | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.2 | Network security controls (NSCs) are configured and maintained | Establish and document change control processes | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.2 | Network security controls (NSCs) are configured and maintained | Establish configuration management requirements for developers | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.2 | Network security controls (NSCs) are configured and maintained | Perform a privacy impact assessment | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.2 | Network security controls (NSCs) are configured and maintained | Perform a risk assessment | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.2 | Network security controls (NSCs) are configured and maintained | Perform audit for configuration change control | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.3 | Network security controls (NSCs) are configured and maintained | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.4 | Network security controls (NSCs) are configured and maintained | Maintain records of processing of personal data | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.5 | Network security controls (NSCs) are configured and maintained | Identify external service providers | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.5 | Network security controls (NSCs) are configured and maintained | Require developer to identify SDLC ports, protocols, and services | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.8 | Network security controls (NSCs) are configured and maintained | Enforce and audit access restrictions | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.8 | Network security controls (NSCs) are configured and maintained | Establish and document change control processes | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.2.8 | Network security controls (NSCs) are configured and maintained | Review changes for any unauthorized changes | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.3.3 | Network access to and from the cardholder data environment is restricted | Document and implement wireless access guidelines | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.3.3 | Network access to and from the cardholder data environment is restricted | Protect wireless access | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.1 | Network connections between trusted and untrusted networks are controlled | Control information flow | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.1 | Network connections between trusted and untrusted networks are controlled | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.1 | Network connections between trusted and untrusted networks are controlled | Implement managed interface for each external service | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.1 | Network connections between trusted and untrusted networks are controlled | Implement system boundary protection | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.1 | Network connections between trusted and untrusted networks are controlled | Secure the interface to external systems | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.2 | Network connections between trusted and untrusted networks are controlled | Control information flow | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.2 | Network connections between trusted and untrusted networks are controlled | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.2 | Network connections between trusted and untrusted networks are controlled | Implement managed interface for each external service | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.2 | Network connections between trusted and untrusted networks are controlled | Implement system boundary protection | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.2 | Network connections between trusted and untrusted networks are controlled | Secure the interface to external systems | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.3 | Network connections between trusted and untrusted networks are controlled | Control information flow | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.3 | Network connections between trusted and untrusted networks are controlled | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.4 | Network connections between trusted and untrusted networks are controlled | Control information flow | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.4.4 | Network connections between trusted and untrusted networks are controlled | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.5.1 | Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated | Authorize remote access | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.5.1 | Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated | Document mobility training | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.5.1 | Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated | Document remote access guidelines | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.5.1 | Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated | Implement controls to secure alternate work sites | 1.1.0 |
| Requirement 01: Install and Maintain Network Security Controls | 1.5.1 | Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated | Provide privacy training | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.1.1 | Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented | Develop audit and accountability policies and procedures | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.1.1 | Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented | Develop information security policies and procedures | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.1.1 | Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented | Govern policies and procedures | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.1.1 | Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented | Update information security policies | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Audit privileged functions | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Audit user account status | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Determine auditable events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Review audit data | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.1 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Determine auditable events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Audit privileged functions | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor account activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor privileged role assignment | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Restrict access to privileged accounts | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Revoke privileged roles as appropriate | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Use privileged identity management | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.3 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Audit privileged functions | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.3 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.3 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Determine auditable events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.3 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor account activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.3 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor privileged role assignment | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.3 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Restrict access to privileged accounts | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.3 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Revoke privileged roles as appropriate | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.3 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Use privileged identity management | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.4 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Determine auditable events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Audit privileged functions | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Audit user account status | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Automate account management | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Determine auditable events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Manage system and admin accounts | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor access across the organization | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor account activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor privileged role assignment | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Notify when account is not needed | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Restrict access to privileged accounts | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Revoke privileged roles as appropriate | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.5 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Use privileged identity management | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.6 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Audit privileged functions | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.6 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.6 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Determine auditable events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.6 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor account activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.6 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Monitor privileged role assignment | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.6 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Restrict access to privileged accounts | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.6 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Revoke privileged roles as appropriate | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.6 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Use privileged identity management | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.1.7 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Determine auditable events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Determine auditable events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.1 | Audit logs are protected from destruction and unauthorized modifications | Enable dual or joint authorization | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.1 | Audit logs are protected from destruction and unauthorized modifications | Protect audit information | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.2 | Audit logs are protected from destruction and unauthorized modifications | Enable dual or joint authorization | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.2 | Audit logs are protected from destruction and unauthorized modifications | Protect audit information | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.3 | Audit logs are protected from destruction and unauthorized modifications | Establish backup policies and procedures | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.4 | Audit logs are protected from destruction and unauthorized modifications | Enable dual or joint authorization | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.4 | Audit logs are protected from destruction and unauthorized modifications | Protect audit information | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Correlate audit records | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Establish requirements for audit review and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate audit review, analysis, and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate cloud app security with a siem | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review account provisioning logs | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review administrator assignments weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review audit data | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review cloud identity report overview | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review controlled folder access events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review file and folder activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review role group changes weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Correlate audit records | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Establish requirements for audit review and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate audit review, analysis, and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate cloud app security with a siem | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review account provisioning logs | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review administrator assignments weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review audit data | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review cloud identity report overview | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review controlled folder access events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review file and folder activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.1.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review role group changes weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Correlate audit records | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Establish requirements for audit review and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate audit review, analysis, and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate cloud app security with a siem | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Review account provisioning logs | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Review administrator assignments weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Review audit data | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Review cloud identity report overview | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Review controlled folder access events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Review file and folder activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2 | Audit logs are reviewed to identify anomalies or suspicious activity | Review role group changes weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Correlate audit records | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Establish requirements for audit review and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate audit review, analysis, and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate cloud app security with a siem | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review account provisioning logs | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review administrator assignments weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review audit data | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review cloud identity report overview | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review controlled folder access events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review file and folder activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.2.1 | Audit logs are reviewed to identify anomalies or suspicious activity | Review role group changes weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Correlate audit records | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Establish requirements for audit review and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate audit review, analysis, and reporting | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Integrate cloud app security with a siem | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Review account provisioning logs | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Review administrator assignments weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Review audit data | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Review cloud identity report overview | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Review controlled folder access events | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Review file and folder activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.4.3 | Audit logs are reviewed to identify anomalies or suspicious activity | Review role group changes weekly | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.5.1 | Audit log history is retained and available for analysis | Adhere to retention periods defined | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.5.1 | Audit log history is retained and available for analysis | Retain security policies and procedures | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.5.1 | Audit log history is retained and available for analysis | Retain terminated user data | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.1 | Time-synchronization mechanisms support consistent time settings across all systems | Use system clocks for audit records | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.2 | Time-synchronization mechanisms support consistent time settings across all systems | Use system clocks for audit records | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Audit privileged functions | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Authorize access to security functions and information | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Authorize and manage access | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Conduct a full text analysis of logged privileged commands | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Monitor account activity | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Monitor privileged role assignment | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Restrict access to privileged accounts | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Revoke privileged roles as appropriate | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.6.3 | Time-synchronization mechanisms support consistent time settings across all systems | Use privileged identity management | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.1 | Failures of critical security control systems are detected, reported, and responded to promptly | Create alternative actions for identified anomalies | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.1 | Failures of critical security control systems are detected, reported, and responded to promptly | Govern and monitor audit processing activities | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.1 | Failures of critical security control systems are detected, reported, and responded to promptly | Notify personnel of any failed security verification tests | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.1 | Failures of critical security control systems are detected, reported, and responded to promptly | Perform security function verification at a defined frequency | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.1 | Failures of critical security control systems are detected, reported, and responded to promptly | Verify security functions | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.2 | Failures of critical security control systems are detected, reported, and responded to promptly | Create alternative actions for identified anomalies | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.2 | Failures of critical security control systems are detected, reported, and responded to promptly | Govern and monitor audit processing activities | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.2 | Failures of critical security control systems are detected, reported, and responded to promptly | Notify personnel of any failed security verification tests | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.2 | Failures of critical security control systems are detected, reported, and responded to promptly | Perform security function verification at a defined frequency | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.2 | Failures of critical security control systems are detected, reported, and responded to promptly | Verify security functions | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.3 | Failures of critical security control systems are detected, reported, and responded to promptly | Create alternative actions for identified anomalies | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.3 | Failures of critical security control systems are detected, reported, and responded to promptly | Notify personnel of any failed security verification tests | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.3 | Failures of critical security control systems are detected, reported, and responded to promptly | Perform security function verification at a defined frequency | 1.1.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.7.3 | Failures of critical security control systems are detected, reported, and responded to promptly | Verify security functions | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.1.1 | Processes and mechanisms for regularly testing security of systems and networks are defined and understood | Review and update information integrity policies and procedures | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.1.1 | Processes and mechanisms for regularly testing security of systems and networks are defined and understood | Review and update system and communications protection policies and procedures | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.1.1 | Processes and mechanisms for regularly testing security of systems and networks are defined and understood | Review security assessment and authorization policies and procedures | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.2.2 | Wireless access points are identified and monitored, and unauthorized wireless access points are addressed | Document and implement wireless access guidelines | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.2.2 | Wireless access points are identified and monitored, and unauthorized wireless access points are addressed | Protect wireless access | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Perform vulnerability scans | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Remediate information system flaws | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Perform vulnerability scans | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Remediate information system flaws | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1.3 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Perform vulnerability scans | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1.3 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Remediate information system flaws | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.2 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Perform vulnerability scans | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.2 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Remediate information system flaws | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.2.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Perform vulnerability scans | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.2.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | Remediate information system flaws | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.4.1 | External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected | Employ independent team for penetration testing | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.4.3 | External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected | Employ independent team for penetration testing | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.1 | Network intrusions and unexpected file changes are detected and responded to | Alert personnel of information spillage | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.1 | Network intrusions and unexpected file changes are detected and responded to | Develop an incident response plan | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.1 | Network intrusions and unexpected file changes are detected and responded to | Perform a trend analysis on threats | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.1 | Network intrusions and unexpected file changes are detected and responded to | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.1.1 | Network intrusions and unexpected file changes are detected and responded to | Alert personnel of information spillage | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.1.1 | Network intrusions and unexpected file changes are detected and responded to | Develop an incident response plan | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.1.1 | Network intrusions and unexpected file changes are detected and responded to | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.2 | Network intrusions and unexpected file changes are detected and responded to | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.2 | Network intrusions and unexpected file changes are detected and responded to | Verify software, firmware and information integrity | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.5.2 | Network intrusions and unexpected file changes are detected and responded to | View and configure system diagnostic data | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.6.1 | Unauthorized changes on payment pages are detected and responded to | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.6.1 | Unauthorized changes on payment pages are detected and responded to | Verify software, firmware and information integrity | 1.1.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.6.1 | Unauthorized changes on payment pages are detected and responded to | View and configure system diagnostic data | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.1.2 | A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current | Establish an information security program | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.1.2 | A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current | Update information security policies | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.1.4 | A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current | Appoint a senior information security officer | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.2 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Assess information security events | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.2 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Develop an incident response plan | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.2 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Implement incident handling | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.2 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Maintain data breach records | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.2 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Maintain incident response plan | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.2 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Protect incident response plan | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.4 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Provide information spillage training | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.4.1 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Provide information spillage training | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.5 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Develop an incident response plan | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.5 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Enable network protection | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.5 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Implement incident handling | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.6 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Assess information security events | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.6 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Maintain incident response plan | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.7 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Develop an incident response plan | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.7 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Develop security safeguards | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.7 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Enable network protection | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.7 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Eradicate contaminated information | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.7 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Execute actions in response to information spills | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.7 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Implement incident handling | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.7 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | Perform a trend analysis on threats | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.10.7 | Suspected and confirmed security incidents that could impact the CDE are responded to immediately | View and investigate restricted users | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.2.1 | Acceptable use policies for end-user technologies are defined and implemented | Develop acceptable use policies and procedures | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.2.1 | Acceptable use policies for end-user technologies are defined and implemented | Enforce rules of behavior and access agreements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.2.1 | Acceptable use policies for end-user technologies are defined and implemented | Require compliance with intellectual property rights | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.2.1 | Acceptable use policies for end-user technologies are defined and implemented | Track software license usage | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.1 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Conduct Risk Assessment | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.1 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Conduct risk assessment and distribute its results | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.1 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Conduct risk assessment and document its results | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.1 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Perform a risk assessment | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.2 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Conduct Risk Assessment | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.2 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Conduct risk assessment and distribute its results | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.2 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Conduct risk assessment and document its results | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.2 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Perform a risk assessment | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.4 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Disseminate security alerts to personnel | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.4 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Establish a threat intelligence program | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.3.4 | Risks to the cardholder data environment are formally identified, evaluated, and managed | Remediate information system flaws | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.1 | PCI DSS compliance is managed | Develop security assessment plan | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.1 | PCI DSS compliance is managed | Establish a privacy program | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.1 | PCI DSS compliance is managed | Establish an information security program | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.1 | PCI DSS compliance is managed | Manage compliance activities | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.1 | PCI DSS compliance is managed | Update privacy plan, policies, and procedures | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2 | PCI DSS compliance is managed | Assess Security Controls | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2 | PCI DSS compliance is managed | Configure detection whitelist | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2 | PCI DSS compliance is managed | Develop security assessment plan | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2 | PCI DSS compliance is managed | Select additional testing for security control assessments | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2 | PCI DSS compliance is managed | Turn on sensors for endpoint security solution | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2 | PCI DSS compliance is managed | Undergo independent security review | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2.1 | PCI DSS compliance is managed | Configure detection whitelist | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2.1 | PCI DSS compliance is managed | Deliver security assessment results | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2.1 | PCI DSS compliance is managed | Develop POA&M | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2.1 | PCI DSS compliance is managed | Produce Security Assessment report | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2.1 | PCI DSS compliance is managed | Turn on sensors for endpoint security solution | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2.1 | PCI DSS compliance is managed | Undergo independent security review | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.4.2.1 | PCI DSS compliance is managed | Update POA&M items | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.5.2 | PCI DSS scope is documented and validated | Maintain records of processing of personal data | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.5.2.1 | PCI DSS scope is documented and validated | Create a data inventory | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.5.2.1 | PCI DSS scope is documented and validated | Maintain records of processing of personal data | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.5.3 | PCI DSS scope is documented and validated | Establish an information security program | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.5.3 | PCI DSS scope is documented and validated | Update information security policies | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.1 | Security awareness education is an ongoing activity | Document security and privacy training activities | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.1 | Security awareness education is an ongoing activity | Establish information security workforce development and improvement program | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.2 | Security awareness education is an ongoing activity | Provide updated security awareness training | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3 | Security awareness education is an ongoing activity | Document personnel acceptance of privacy requirements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3 | Security awareness education is an ongoing activity | Provide periodic role-based security training | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3 | Security awareness education is an ongoing activity | Provide periodic security awareness training | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3 | Security awareness education is an ongoing activity | Provide privacy training | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3 | Security awareness education is an ongoing activity | Provide role-based security training | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3 | Security awareness education is an ongoing activity | Provide security training before providing access | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3 | Security awareness education is an ongoing activity | Provide security training for new users | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3 | Security awareness education is an ongoing activity | Provide updated security awareness training | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3.1 | Security awareness education is an ongoing activity | Implement a threat awareness program | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3.1 | Security awareness education is an ongoing activity | Implement an insider threat program | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3.1 | Security awareness education is an ongoing activity | Provide security training for new users | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3.2 | Security awareness education is an ongoing activity | Provide security training before providing access | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.6.3.2 | Security awareness education is an ongoing activity | Provide security training for new users | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.7.1 | Personnel are screened to reduce risks from insider threats | Clear personnel with access to classified information | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.7.1 | Personnel are screened to reduce risks from insider threats | Implement personnel screening | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.7.1 | Personnel are screened to reduce risks from insider threats | Rescreen individuals at a defined frequency | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.1 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Require external service providers to comply with security requirements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Define the duties of processors | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Determine supplier contract obligations | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document acquisition contract acceptance criteria | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document protection of personal data in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document protection of security information in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document requirements for the use of shared data in contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document security documentation requirements in acquisition contract | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document security functional requirements in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document security strength requirements in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document the information system environment in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Obtain design and implementation information for the security controls | 1.1.1 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Obtain functional properties of security controls | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.2 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Record disclosures of PII to third parties | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.3 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Assess risk in third party relationships | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.3 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Define requirements for supplying goods and services | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.3 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Determine supplier contract obligations | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.3 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Establish policies for supply chain risk management | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.3 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Require external service providers to comply with security requirements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.4 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Assess risk in third party relationships | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.4 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Define requirements for supplying goods and services | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.4 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Determine supplier contract obligations | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.4 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Establish policies for supply chain risk management | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.4 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Obtain continuous monitoring plan for security controls | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.4 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Require external service providers to comply with security requirements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.4 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.4 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Undergo independent security review | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Determine supplier contract obligations | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document acquisition contract acceptance criteria | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document protection of personal data in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document protection of security information in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document requirements for the use of shared data in contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document security documentation requirements in acquisition contract | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document security functional requirements in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document security strength requirements in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document the information system environment in acquisition contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Obtain design and implementation information for the security controls | 1.1.1 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.8.5 | Risk to information assets associated with third-party service provider (TPSP) relationships is managed | Obtain functional properties of security controls | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.9.1 | Third-party service providers (TPSPs) support their customers' PCI DSS compliance | Define the duties of processors | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.9.1 | Third-party service providers (TPSPs) support their customers' PCI DSS compliance | Record disclosures of PII to third parties | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.9.1 | Third-party service providers (TPSPs) support their customers' PCI DSS compliance | Require external service providers to comply with security requirements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.9.2 | Third-party service providers (TPSPs) support their customers' PCI DSS compliance | Require external service providers to comply with security requirements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.9.2 | Third-party service providers (TPSPs) support their customers' PCI DSS compliance | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| Requirement 12: Support Information Security with Organizational Policies and Programs | 12.9.2 | Third-party service providers (TPSPs) support their customers' PCI DSS compliance | Undergo independent security review | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.1.1 | Processes and mechanisms for applying secure configurations to all system components are defined and understood | Review and update configuration management policies and procedures | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.1 | System components are configured and managed securely | Configure actions for noncompliant devices | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.1 | System components are configured and managed securely | Develop and maintain baseline configurations | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.1 | System components are configured and managed securely | Enforce security configuration settings | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.1 | System components are configured and managed securely | Establish a configuration control board | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.1 | System components are configured and managed securely | Establish and document a configuration management plan | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.1 | System components are configured and managed securely | Implement an automated configuration management tool | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.2 | System components are configured and managed securely | Manage Authenticators | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.5 | System components are configured and managed securely | Enforce security configuration settings | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.5 | System components are configured and managed securely | Remediate information system flaws | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.2.7 | System components are configured and managed securely | Implement cryptographic mechanisms | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.3.1 | Wireless environments are configured and managed securely | Document and implement wireless access guidelines | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.3.1 | Wireless environments are configured and managed securely | Identify and authenticate network devices | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.3.1 | Wireless environments are configured and managed securely | Protect wireless access | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.3.2 | Wireless environments are configured and managed securely | Document and implement wireless access guidelines | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.3.2 | Wireless environments are configured and managed securely | Identify and authenticate network devices | 1.1.0 |
| Requirement 02: Apply Secure Configurations to All System Components | 2.3.2 | Wireless environments are configured and managed securely | Protect wireless access | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.1.1 | Processes and mechanisms for protecting stored account data are defined and understood | Establish a privacy program | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.1.1 | Processes and mechanisms for protecting stored account data are defined and understood | Review and update system and communications protection policies and procedures | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.1.1 | Processes and mechanisms for protecting stored account data are defined and understood | Update privacy plan, policies, and procedures | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.2.1 | Storage of account data is kept to a minimum | Adhere to retention periods defined | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.2.1 | Storage of account data is kept to a minimum | Control physical access | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.2.1 | Storage of account data is kept to a minimum | Document the legal basis for processing personal information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.2.1 | Storage of account data is kept to a minimum | Manage the input, output, processing, and storage of data | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.2.1 | Storage of account data is kept to a minimum | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.2.1 | Storage of account data is kept to a minimum | Perform disposition review | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.2.1 | Storage of account data is kept to a minimum | Review label activity and analytics | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.2.1 | Storage of account data is kept to a minimum | Verify personal data is deleted at the end of processing | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1 | Sensitive authentication data (SAD) is not stored after authorization | Adhere to retention periods defined | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1 | Sensitive authentication data (SAD) is not stored after authorization | Document the legal basis for processing personal information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1 | Sensitive authentication data (SAD) is not stored after authorization | Implement privacy notice delivery methods | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1 | Sensitive authentication data (SAD) is not stored after authorization | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1 | Sensitive authentication data (SAD) is not stored after authorization | Perform disposition review | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1 | Sensitive authentication data (SAD) is not stored after authorization | Provide privacy notice | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1 | Sensitive authentication data (SAD) is not stored after authorization | Restrict communications | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1 | Sensitive authentication data (SAD) is not stored after authorization | Verify personal data is deleted at the end of processing | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.1 | Sensitive authentication data (SAD) is not stored after authorization | Adhere to retention periods defined | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.1 | Sensitive authentication data (SAD) is not stored after authorization | Document the legal basis for processing personal information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.1 | Sensitive authentication data (SAD) is not stored after authorization | Implement privacy notice delivery methods | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.1 | Sensitive authentication data (SAD) is not stored after authorization | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.1 | Sensitive authentication data (SAD) is not stored after authorization | Perform disposition review | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.1 | Sensitive authentication data (SAD) is not stored after authorization | Provide privacy notice | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.1 | Sensitive authentication data (SAD) is not stored after authorization | Restrict communications | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.1 | Sensitive authentication data (SAD) is not stored after authorization | Verify personal data is deleted at the end of processing | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.2 | Sensitive authentication data (SAD) is not stored after authorization | Document the legal basis for processing personal information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.2 | Sensitive authentication data (SAD) is not stored after authorization | Implement privacy notice delivery methods | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.2 | Sensitive authentication data (SAD) is not stored after authorization | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.2 | Sensitive authentication data (SAD) is not stored after authorization | Provide privacy notice | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.2 | Sensitive authentication data (SAD) is not stored after authorization | Restrict communications | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.3 | Sensitive authentication data (SAD) is not stored after authorization | Adhere to retention periods defined | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.3 | Sensitive authentication data (SAD) is not stored after authorization | Document the legal basis for processing personal information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.3 | Sensitive authentication data (SAD) is not stored after authorization | Implement privacy notice delivery methods | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.3 | Sensitive authentication data (SAD) is not stored after authorization | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.3 | Sensitive authentication data (SAD) is not stored after authorization | Perform disposition review | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.3 | Sensitive authentication data (SAD) is not stored after authorization | Provide privacy notice | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.3 | Sensitive authentication data (SAD) is not stored after authorization | Restrict communications | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.1.3 | Sensitive authentication data (SAD) is not stored after authorization | Verify personal data is deleted at the end of processing | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.2 | Sensitive authentication data (SAD) is not stored after authorization | Authenticate to cryptographic module | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Authenticate to cryptographic module | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Document the legal basis for processing personal information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Implement privacy notice delivery methods | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Provide privacy notice | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | Restrict communications | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.4.1 | Access to displays of full PAN and ability to copy cardholder data are restricted | Implement privacy notice delivery methods | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.4.1 | Access to displays of full PAN and ability to copy cardholder data are restricted | Provide privacy notice | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.4.1 | Access to displays of full PAN and ability to copy cardholder data are restricted | Restrict communications | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.4.2 | Access to displays of full PAN and ability to copy cardholder data are restricted | Implement privacy notice delivery methods | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.4.2 | Access to displays of full PAN and ability to copy cardholder data are restricted | Provide privacy notice | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.4.2 | Access to displays of full PAN and ability to copy cardholder data are restricted | Restrict communications | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1 | Primary account number (PAN) is secured wherever it is stored | Establish a data leakage management procedure | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1 | Primary account number (PAN) is secured wherever it is stored | Implement controls to secure all media | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1 | Primary account number (PAN) is secured wherever it is stored | Protect data in transit using encryption | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1 | Primary account number (PAN) is secured wherever it is stored | Protect special information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.1 | Primary account number (PAN) is secured wherever it is stored | Establish a data leakage management procedure | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.1 | Primary account number (PAN) is secured wherever it is stored | Implement controls to secure all media | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.1 | Primary account number (PAN) is secured wherever it is stored | Protect data in transit using encryption | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.1 | Primary account number (PAN) is secured wherever it is stored | Protect special information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.2 | Primary account number (PAN) is secured wherever it is stored | Establish a data leakage management procedure | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.2 | Primary account number (PAN) is secured wherever it is stored | Implement controls to secure all media | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.2 | Primary account number (PAN) is secured wherever it is stored | Protect data in transit using encryption | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.2 | Primary account number (PAN) is secured wherever it is stored | Protect special information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.3 | Primary account number (PAN) is secured wherever it is stored | Establish a data leakage management procedure | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.3 | Primary account number (PAN) is secured wherever it is stored | Implement controls to secure all media | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.3 | Primary account number (PAN) is secured wherever it is stored | Protect data in transit using encryption | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1.3 | Primary account number (PAN) is secured wherever it is stored | Protect special information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1 | Cryptographic keys used to protect stored account data are secured | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1 | Cryptographic keys used to protect stored account data are secured | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1 | Cryptographic keys used to protect stored account data are secured | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1 | Cryptographic keys used to protect stored account data are secured | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1 | Cryptographic keys used to protect stored account data are secured | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1 | Cryptographic keys used to protect stored account data are secured | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1 | Cryptographic keys used to protect stored account data are secured | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.1 | Cryptographic keys used to protect stored account data are secured | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.1 | Cryptographic keys used to protect stored account data are secured | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.1 | Cryptographic keys used to protect stored account data are secured | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.1 | Cryptographic keys used to protect stored account data are secured | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.1 | Cryptographic keys used to protect stored account data are secured | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.1 | Cryptographic keys used to protect stored account data are secured | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.1 | Cryptographic keys used to protect stored account data are secured | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.2 | Cryptographic keys used to protect stored account data are secured | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.2 | Cryptographic keys used to protect stored account data are secured | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.2 | Cryptographic keys used to protect stored account data are secured | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.2 | Cryptographic keys used to protect stored account data are secured | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.2 | Cryptographic keys used to protect stored account data are secured | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.2 | Cryptographic keys used to protect stored account data are secured | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.2 | Cryptographic keys used to protect stored account data are secured | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.2 | Cryptographic keys used to protect stored account data are secured | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.3 | Cryptographic keys used to protect stored account data are secured | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.3 | Cryptographic keys used to protect stored account data are secured | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.3 | Cryptographic keys used to protect stored account data are secured | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.3 | Cryptographic keys used to protect stored account data are secured | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.3 | Cryptographic keys used to protect stored account data are secured | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.3 | Cryptographic keys used to protect stored account data are secured | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.3 | Cryptographic keys used to protect stored account data are secured | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.4 | Cryptographic keys used to protect stored account data are secured | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.4 | Cryptographic keys used to protect stored account data are secured | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.4 | Cryptographic keys used to protect stored account data are secured | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.4 | Cryptographic keys used to protect stored account data are secured | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.4 | Cryptographic keys used to protect stored account data are secured | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.4 | Cryptographic keys used to protect stored account data are secured | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.6.1.4 | Cryptographic keys used to protect stored account data are secured | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.1 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.1 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.1 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.1 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.1 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.1 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.1 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.2 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.2 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.2 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.2 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.2 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.2 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.2 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.2 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Maintain availability of information | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.3 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.4 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.4 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.4 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.4 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.4 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.4 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.4 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.5 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.5 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.5 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.5 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.5 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.5 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.5 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.6 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.6 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.6 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.6 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.6 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.6 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.6 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.7 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.7 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.7 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.7 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.7 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.7 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.7 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.8 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.8 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.8 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.8 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.8 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.8 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.8 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.9 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define a physical key management process | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.9 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define cryptographic use | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.9 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.9 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Determine assertion requirements | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.9 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Issue public key certificates | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.9 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 03: Protect Stored Account Data | 3.7.9 | Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented | Restrict access to private keys | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.1.1 | Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented | Review and update system and communications protection policies and procedures | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Configure workstations to check for digital certificates | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Define a physical key management process | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Define cryptographic use | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Determine assertion requirements | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Issue public key certificates | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Protect data in transit using encryption | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Protect passwords with encryption | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1 | PAN is protected with strong cryptography during transmission | Restrict access to private keys | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.1 | PAN is protected with strong cryptography during transmission | Define a physical key management process | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.1 | PAN is protected with strong cryptography during transmission | Define cryptographic use | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.1 | PAN is protected with strong cryptography during transmission | Define organizational requirements for cryptographic key management | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.1 | PAN is protected with strong cryptography during transmission | Determine assertion requirements | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.1 | PAN is protected with strong cryptography during transmission | Issue public key certificates | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.1 | PAN is protected with strong cryptography during transmission | Maintain availability of information | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.1 | PAN is protected with strong cryptography during transmission | Manage symmetric cryptographic keys | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.1 | PAN is protected with strong cryptography during transmission | Restrict access to private keys | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.2 | PAN is protected with strong cryptography during transmission | Document and implement wireless access guidelines | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.2 | PAN is protected with strong cryptography during transmission | Identify and authenticate network devices | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.1.2 | PAN is protected with strong cryptography during transmission | Protect wireless access | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.2 | PAN is protected with strong cryptography during transmission | Configure workstations to check for digital certificates | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.2 | PAN is protected with strong cryptography during transmission | Protect data in transit using encryption | 1.1.0 |
| Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | 4.2.2 | PAN is protected with strong cryptography during transmission | Protect passwords with encryption | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.1.1 | Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood | Review and update information integrity policies and procedures | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | Manage gateways | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | Perform a trend analysis on threats | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | Perform vulnerability scans | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | Review malware detections report weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | Review threat protection status weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | Update antivirus definitions | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | Manage gateways | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | Perform a trend analysis on threats | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | Perform vulnerability scans | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | Review malware detections report weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | Review threat protection status weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | Update antivirus definitions | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | Manage gateways | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | Perform a trend analysis on threats | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | Perform vulnerability scans | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | Review malware detections report weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | Review threat protection status weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | Update antivirus definitions | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3.1 | Malicious software (malware) is prevented, or detected and addressed | Conduct Risk Assessment | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3.1 | Malicious software (malware) is prevented, or detected and addressed | Conduct risk assessment and document its results | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3.1 | Malicious software (malware) is prevented, or detected and addressed | Perform a risk assessment | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.1 | Anti-malware mechanisms and processes are active, maintained, and monitored | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.1 | Anti-malware mechanisms and processes are active, maintained, and monitored | Manage gateways | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.1 | Anti-malware mechanisms and processes are active, maintained, and monitored | Perform a trend analysis on threats | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.1 | Anti-malware mechanisms and processes are active, maintained, and monitored | Perform vulnerability scans | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.1 | Anti-malware mechanisms and processes are active, maintained, and monitored | Review malware detections report weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.1 | Anti-malware mechanisms and processes are active, maintained, and monitored | Update antivirus definitions | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.3 | Anti-malware mechanisms and processes are active, maintained, and monitored | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.3 | Anti-malware mechanisms and processes are active, maintained, and monitored | Manage gateways | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.3 | Anti-malware mechanisms and processes are active, maintained, and monitored | Perform a trend analysis on threats | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.3 | Anti-malware mechanisms and processes are active, maintained, and monitored | Perform vulnerability scans | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.3 | Anti-malware mechanisms and processes are active, maintained, and monitored | Review malware detections report weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.3 | Anti-malware mechanisms and processes are active, maintained, and monitored | Review threat protection status weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.3 | Anti-malware mechanisms and processes are active, maintained, and monitored | Update antivirus definitions | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.4 | Anti-malware mechanisms and processes are active, maintained, and monitored | Adhere to retention periods defined | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.4 | Anti-malware mechanisms and processes are active, maintained, and monitored | Determine auditable events | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.4 | Anti-malware mechanisms and processes are active, maintained, and monitored | Retain security policies and procedures | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.4 | Anti-malware mechanisms and processes are active, maintained, and monitored | Retain terminated user data | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.5 | Anti-malware mechanisms and processes are active, maintained, and monitored | Conduct a security impact analysis | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.5 | Anti-malware mechanisms and processes are active, maintained, and monitored | Develop and maintain a vulnerability management standard | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.5 | Anti-malware mechanisms and processes are active, maintained, and monitored | Establish a risk management strategy | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.5 | Anti-malware mechanisms and processes are active, maintained, and monitored | Establish and document change control processes | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.5 | Anti-malware mechanisms and processes are active, maintained, and monitored | Establish configuration management requirements for developers | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.5 | Anti-malware mechanisms and processes are active, maintained, and monitored | Perform a privacy impact assessment | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.5 | Anti-malware mechanisms and processes are active, maintained, and monitored | Perform a risk assessment | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.3.5 | Anti-malware mechanisms and processes are active, maintained, and monitored | Perform audit for configuration change control | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.4.1 | Anti-phishing mechanisms protect users against phishing attacks | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.4.1 | Anti-phishing mechanisms protect users against phishing attacks | Manage gateways | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.4.1 | Anti-phishing mechanisms protect users against phishing attacks | Perform a trend analysis on threats | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.4.1 | Anti-phishing mechanisms protect users against phishing attacks | Perform vulnerability scans | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.4.1 | Anti-phishing mechanisms protect users against phishing attacks | Review malware detections report weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.4.1 | Anti-phishing mechanisms protect users against phishing attacks | Review threat protection status weekly | 1.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.4.1 | Anti-phishing mechanisms protect users against phishing attacks | Update antivirus definitions | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.1.1 | Processes and mechanisms for developing and maintaining secure systems and software are defined and understood | Review and update configuration management policies and procedures | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.1.1 | Processes and mechanisms for developing and maintaining secure systems and software are defined and understood | Review and update system and services acquisition policies and procedures | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.2.2 | Bespoke and custom software are developed securely | Provide periodic role-based security training | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.2.2 | Bespoke and custom software are developed securely | Provide security training before providing access | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.2.3.1 | Bespoke and custom software are developed securely | Separate duties of individuals | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.3.1 | Security vulnerabilities are identified and addressed | Disseminate security alerts to personnel | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.3.1 | Security vulnerabilities are identified and addressed | Establish a threat intelligence program | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.3.1 | Security vulnerabilities are identified and addressed | Implement security directives | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.3.1 | Security vulnerabilities are identified and addressed | Remediate information system flaws | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.3.2 | Security vulnerabilities are identified and addressed | Obtain Admin documentation | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.4.1 | Public-facing web applications are protected against attacks | Perform vulnerability scans | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.4.1 | Public-facing web applications are protected against attacks | Remediate information system flaws | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.4.3 | Public-facing web applications are protected against attacks | Verify software, firmware and information integrity | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.4.3 | Public-facing web applications are protected against attacks | View and configure system diagnostic data | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.1 | Changes to all system components are managed securely | Conduct a security impact analysis | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.1 | Changes to all system components are managed securely | Develop and maintain a vulnerability management standard | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.1 | Changes to all system components are managed securely | Establish a risk management strategy | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.1 | Changes to all system components are managed securely | Establish and document change control processes | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.1 | Changes to all system components are managed securely | Establish configuration management requirements for developers | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.1 | Changes to all system components are managed securely | Perform a privacy impact assessment | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.1 | Changes to all system components are managed securely | Perform a risk assessment | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.1 | Changes to all system components are managed securely | Perform audit for configuration change control | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.2 | Changes to all system components are managed securely | Require developers to manage change integrity | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.3 | Changes to all system components are managed securely | Conduct a security impact analysis | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.3 | Changes to all system components are managed securely | Establish and document change control processes | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.3 | Changes to all system components are managed securely | Establish configuration management requirements for developers | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.3 | Changes to all system components are managed securely | Limit privileges to make changes in production environment | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.3 | Changes to all system components are managed securely | Perform a privacy impact assessment | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.3 | Changes to all system components are managed securely | Perform audit for configuration change control | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.4 | Changes to all system components are managed securely | Conduct a security impact analysis | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.4 | Changes to all system components are managed securely | Establish and document change control processes | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.4 | Changes to all system components are managed securely | Establish configuration management requirements for developers | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.4 | Changes to all system components are managed securely | Limit privileges to make changes in production environment | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.4 | Changes to all system components are managed securely | Perform a privacy impact assessment | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.4 | Changes to all system components are managed securely | Perform audit for configuration change control | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.5 | Changes to all system components are managed securely | Incorporate security and data privacy practices in research processing | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.6 | Changes to all system components are managed securely | Conduct a security impact analysis | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.6 | Changes to all system components are managed securely | Establish and document change control processes | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.6 | Changes to all system components are managed securely | Establish configuration management requirements for developers | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.6 | Changes to all system components are managed securely | Perform a privacy impact assessment | 1.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.5.6 | Changes to all system components are managed securely | Perform audit for configuration change control | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.1.1 | Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood | Develop access control policies and procedures | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.1.1 | Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.1.1 | Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood | Govern policies and procedures | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.1.1 | Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood | Review access control policies and procedures | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.1.2 | Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood | Develop access control policies and procedures | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.1.2 | Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.1.2 | Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood | Govern policies and procedures | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | Authorize access to security functions and information | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | Authorize and manage access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | Design an access control model | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | Employ least privilege access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | Enforce logical access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | Require approval for account creation | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | Review user groups and applications with access to sensitive data | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.1 | Access to system components and data is appropriately defined and assigned | There should be more than one owner assigned to your subscription | 3.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.2 | Access to system components and data is appropriately defined and assigned | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.2 | Access to system components and data is appropriately defined and assigned | Authorize access to security functions and information | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.2 | Access to system components and data is appropriately defined and assigned | Authorize and manage access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.2 | Access to system components and data is appropriately defined and assigned | Design an access control model | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.2 | Access to system components and data is appropriately defined and assigned | Employ least privilege access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.2 | Access to system components and data is appropriately defined and assigned | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.2 | Access to system components and data is appropriately defined and assigned | There should be more than one owner assigned to your subscription | 3.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.3 | Access to system components and data is appropriately defined and assigned | Authorize access to security functions and information | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.3 | Access to system components and data is appropriately defined and assigned | Authorize and manage access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.3 | Access to system components and data is appropriately defined and assigned | Design an access control model | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.3 | Access to system components and data is appropriately defined and assigned | Employ least privilege access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.3 | Access to system components and data is appropriately defined and assigned | Enforce logical access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.3 | Access to system components and data is appropriately defined and assigned | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.3 | Access to system components and data is appropriately defined and assigned | Require approval for account creation | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.3 | Access to system components and data is appropriately defined and assigned | Review user groups and applications with access to sensitive data | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.4 | Access to system components and data is appropriately defined and assigned | Audit user account status | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.4 | Access to system components and data is appropriately defined and assigned | Review account provisioning logs | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.4 | Access to system components and data is appropriately defined and assigned | Review user accounts | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.4 | Access to system components and data is appropriately defined and assigned | Review user privileges | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.5 | Access to system components and data is appropriately defined and assigned | Define information system account types | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.5.1 | Access to system components and data is appropriately defined and assigned | Monitor account activity | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.6 | Access to system components and data is appropriately defined and assigned | Authorize access to security functions and information | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.6 | Access to system components and data is appropriately defined and assigned | Authorize and manage access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.6 | Access to system components and data is appropriately defined and assigned | Design an access control model | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.6 | Access to system components and data is appropriately defined and assigned | Employ least privilege access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.6 | Access to system components and data is appropriately defined and assigned | Enforce logical access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.6 | Access to system components and data is appropriately defined and assigned | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.6 | Access to system components and data is appropriately defined and assigned | Require approval for account creation | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.2.6 | Access to system components and data is appropriately defined and assigned | Review user groups and applications with access to sensitive data | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Authorize access to security functions and information | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Authorize and manage access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Automate account management | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Enforce logical access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Manage system and admin accounts | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Monitor access across the organization | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Notify when account is not needed | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Require approval for account creation | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | Review user groups and applications with access to sensitive data | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Authorize access to security functions and information | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Authorize and manage access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Automate account management | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Enforce logical access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Manage system and admin accounts | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Monitor access across the organization | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Notify when account is not needed | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Require approval for account creation | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.2 | Access to system components and data is managed via an access control system(s) | Review user groups and applications with access to sensitive data | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.3 | Access to system components and data is managed via an access control system(s) | Authorize access to security functions and information | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.3 | Access to system components and data is managed via an access control system(s) | Authorize and manage access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.3 | Access to system components and data is managed via an access control system(s) | Enforce logical access | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.3 | Access to system components and data is managed via an access control system(s) | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.3 | Access to system components and data is managed via an access control system(s) | Require approval for account creation | 1.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.3 | Access to system components and data is managed via an access control system(s) | Review user groups and applications with access to sensitive data | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.1.1 | Processes and mechanisms for identifying users and authenticating access to system components are defined and understood | Review and update identification and authentication policies and procedures | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.1 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Assign system identifiers | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.1 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Enforce user uniqueness | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.1 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Support personal verification credentials issued by legal authorities | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.2 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Define and enforce conditions for shared and group accounts | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.2 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Reissue authenticators for changed groups and accounts | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.2 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Require use of individual authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.2 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Terminate customer controlled account credentials | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.3 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Adopt biometric authentication mechanisms | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.3 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Identify and authenticate network devices | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.3 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Satisfy token quality requirements | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.4 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Assign system identifiers | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.4 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.4 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.4 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.4 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.4 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.4 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Require approval for account creation | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.5 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.5 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.6 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Disable authenticators upon termination | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.6 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Revoke privileged roles as appropriate | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.7 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.7 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.7 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.7 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.7 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.7 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Identify and authenticate non-organizational users | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.8 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Define and enforce inactivity log policy | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.2.8 | User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle | Terminate user session automatically | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.1 | Strong authentication for users and administrators is established and managed | Adopt biometric authentication mechanisms | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.1 | Strong authentication for users and administrators is established and managed | Establish authenticator types and processes | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.1 | Strong authentication for users and administrators is established and managed | Identify and authenticate network devices | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.1 | Strong authentication for users and administrators is established and managed | Satisfy token quality requirements | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.10 | Strong authentication for users and administrators is established and managed | Manage authenticator lifetime and reuse | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.10 | Strong authentication for users and administrators is established and managed | Refresh authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.10.1 | Strong authentication for users and administrators is established and managed | Manage authenticator lifetime and reuse | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.10.1 | Strong authentication for users and administrators is established and managed | Refresh authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.11 | Strong authentication for users and administrators is established and managed | Adopt biometric authentication mechanisms | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.11 | Strong authentication for users and administrators is established and managed | Distribute authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.11 | Strong authentication for users and administrators is established and managed | Establish authenticator types and processes | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.11 | Strong authentication for users and administrators is established and managed | Identify and authenticate network devices | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.11 | Strong authentication for users and administrators is established and managed | Satisfy token quality requirements | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.11 | Strong authentication for users and administrators is established and managed | Verify identity before distributing authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.2 | Strong authentication for users and administrators is established and managed | Ensure authorized users protect provided authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.2 | Strong authentication for users and administrators is established and managed | Protect passwords with encryption | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.4 | Strong authentication for users and administrators is established and managed | Enforce a limit of consecutive failed login attempts | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.5 | Strong authentication for users and administrators is established and managed | Establish authenticator types and processes | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Document security strength requirements in acquisition contracts | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Establish a password policy | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Implement parameters for memorized secret verifiers | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.8 | Strong authentication for users and administrators is established and managed | Implement training for protecting authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.9 | Strong authentication for users and administrators is established and managed | Manage authenticator lifetime and reuse | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.9 | Strong authentication for users and administrators is established and managed | Refresh authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.1 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.1 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.1 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Adopt biometric authentication mechanisms | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.1 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.1 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.1 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.2 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Adopt biometric authentication mechanisms | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.2 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Authorize remote access | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.2 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Document mobility training | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.2 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Document remote access guidelines | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.2 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Identify and authenticate network devices | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.2 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Implement controls to secure alternate work sites | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.2 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Provide privacy training | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.2 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Satisfy token quality requirements | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.3 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Adopt biometric authentication mechanisms | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.3 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Authorize remote access | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.3 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Document mobility training | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.3 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Document remote access guidelines | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.3 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Identify and authenticate network devices | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.3 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Implement controls to secure alternate work sites | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.3 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Provide privacy training | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.3 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | Satisfy token quality requirements | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.5.1 | Multi-factor authentication (MFA) systems are configured to prevent misuse | Adopt biometric authentication mechanisms | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.5.1 | Multi-factor authentication (MFA) systems are configured to prevent misuse | Authorize remote access | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.5.1 | Multi-factor authentication (MFA) systems are configured to prevent misuse | Document mobility training | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.5.1 | Multi-factor authentication (MFA) systems are configured to prevent misuse | Document remote access guidelines | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.5.1 | Multi-factor authentication (MFA) systems are configured to prevent misuse | Identify and authenticate network devices | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.5.1 | Multi-factor authentication (MFA) systems are configured to prevent misuse | Implement controls to secure alternate work sites | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.5.1 | Multi-factor authentication (MFA) systems are configured to prevent misuse | Provide privacy training | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.5.1 | Multi-factor authentication (MFA) systems are configured to prevent misuse | Satisfy token quality requirements | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.1 | Use of application and system accounts and associated authentication factors is strictly managed | Define information system account types | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.1 | Use of application and system accounts and associated authentication factors is strictly managed | Require approval for account creation | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.2 | Use of application and system accounts and associated authentication factors is strictly managed | Implement training for protecting authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.3 | Use of application and system accounts and associated authentication factors is strictly managed | Document security strength requirements in acquisition contracts | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.3 | Use of application and system accounts and associated authentication factors is strictly managed | Establish a password policy | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.3 | Use of application and system accounts and associated authentication factors is strictly managed | Implement parameters for memorized secret verifiers | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.3 | Use of application and system accounts and associated authentication factors is strictly managed | Implement training for protecting authenticators | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.3 | Use of application and system accounts and associated authentication factors is strictly managed | Manage authenticator lifetime and reuse | 1.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.6.3 | Use of application and system accounts and associated authentication factors is strictly managed | Refresh authenticators | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.1.1 | Processes and mechanisms for restricting physical access to cardholder data are defined and understood | Review and update media protection policies and procedures | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.1.1 | Processes and mechanisms for restricting physical access to cardholder data are defined and understood | Review and update physical and environmental policies and procedures | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.2.2 | Physical access controls manage entry into facilities and systems containing cardholder data | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.2.3 | Physical access controls manage entry into facilities and systems containing cardholder data | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.2.3 | Physical access controls manage entry into facilities and systems containing cardholder data | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.2.4 | Physical access controls manage entry into facilities and systems containing cardholder data | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.2.4 | Physical access controls manage entry into facilities and systems containing cardholder data | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.3.1 | Physical access for personnel and visitors is authorized and managed | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.3.1.1 | Physical access for personnel and visitors is authorized and managed | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.3.2 | Physical access for personnel and visitors is authorized and managed | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.3.2 | Physical access for personnel and visitors is authorized and managed | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.3.3 | Physical access for personnel and visitors is authorized and managed | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.3.3 | Physical access for personnel and visitors is authorized and managed | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.3.4 | Physical access for personnel and visitors is authorized and managed | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.3.4 | Physical access for personnel and visitors is authorized and managed | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.1 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Implement controls to secure all media | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.1.1 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Implement controls to secure all media | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.2 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Implement controls to secure all media | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.3 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Implement controls to secure all media | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.3 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Manage the transportation of assets | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.4 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Implement controls to secure all media | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.4 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Manage the transportation of assets | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.5.1 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Create a data inventory | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.5.1 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Maintain records of processing of personal data | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.6 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Employ a media sanitization mechanism | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.6 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Implement controls to secure all media | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.6 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Perform disposition review | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.6 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Verify personal data is deleted at the end of processing | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.7 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Employ a media sanitization mechanism | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.7 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Implement controls to secure all media | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.7 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Perform disposition review | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.4.7 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Verify personal data is deleted at the end of processing | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Manage the input, output, processing, and storage of data | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1.2 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1.2 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1.2 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Manage the input, output, processing, and storage of data | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1.2.1 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Control physical access | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1.2.1 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1.2.1 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Manage the input, output, processing, and storage of data | 1.1.0 |
| Requirement 09: Restrict Physical Access to Cardholder Data | 9.5.1.3 | Point of interaction (POI) devices are protected from tampering and unauthorized substitution | Provide security training before providing access | 1.1.0 |
Reserve Bank of India - IT Framework for NBFC
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.
Reserve Bank of India IT Framework for Banks v2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| User Access Control / Management | User Access Control / Management-8.3 | A maximum of 3 owners should be designated for your subscription | 3.0.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.1 | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.1 | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.1 | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 | |
| Incident Response & Management | Recovery From Cyber - Incidents-19.4 | Audit virtual machines without disaster recovery configured | 1.0.0 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for App Service should be enabled | 1.0.3 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for Key Vault should be enabled | 1.0.3 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for open-source relational databases should be enabled | 1.0.0 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for Resource Manager should be enabled | 1.0.0 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for servers should be enabled | 1.0.3 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for SQL servers on machines should be enabled | 1.0.2 | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | 1.0.0 | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.1 | Azure Monitor should collect activity logs from all regions | 2.0.0 | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | Azure subscriptions should have a log profile for Activity Log | 1.0.0 | |
| User Access Control / Management | User Access Control / Management-8.1 | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 | |
| User Access Control / Management | User Access Control / Management-8.1 | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 | |
| Network Management And Security | Anomaly Detection-4.7 | Email notification for high severity alerts should be enabled | 1.1.0 | |
| Network Management And Security | Anomaly Detection-4.7 | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.3 | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.3 | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.3 | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 | |
| Secure Configuration | Secure Configuration-5.1 | Microsoft Defender for Azure Cosmos DB should be enabled | 1.0.0 | |
| Network Management And Security | Security Operation Centre-4.9 | Microsoft Defender for Containers should be enabled | 1.0.0 | |
| Network Management And Security | Security Operation Centre-4.9 | Microsoft Defender for Storage should be enabled | 1.0.0 | |
| Network Management And Security | Anomaly Detection-4.7 | Subscriptions should have a contact email address for security issues | 1.0.1 | |
| User Access Control / Management | User Access Control / Management-8.3 | There should be more than one owner assigned to your subscription | 3.0.0 |
RMIT Malaysia
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.
SWIFT CSP-CSCF v2021
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | There should be more than one owner assigned to your subscription | 3.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | Azure Defender for App Service should be enabled | 1.0.3 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | Azure Defender for servers should be enabled | 1.0.3 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Prevent Compromise of Credentials | 4.2 | Multi-factor Authentication | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Prevent Compromise of Credentials | 4.2 | Multi-factor Authentication | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Prevent Compromise of Credentials | 4.2 | Multi-factor Authentication | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Manage Identities and Segregate Privileges | 5.1 | Logical Access Control | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Manage Identities and Segregate Privileges | 5.1 | Logical Access Control | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Manage Identities and Segregate Privileges | 5.1 | Logical Access Control | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Manage Identities and Segregate Privileges | 5.1 | Logical Access Control | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Manage Identities and Segregate Privileges | 5.1 | Logical Access Control | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Manage Identities and Segregate Privileges | 5.1 | Logical Access Control | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Manage Identities and Segregate Privileges | 5.1 | Logical Access Control | There should be more than one owner assigned to your subscription | 3.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Activity log should be retained for at least one year | 1.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Azure Defender for App Service should be enabled | 1.0.3 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Azure Defender for servers should be enabled | 1.0.3 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | 1.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Azure Monitor solution 'Security and Audit' must be deployed | 1.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | Azure Defender for App Service should be enabled | 1.0.3 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | Azure Defender for Key Vault should be enabled | 1.0.3 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | Azure Defender for servers should be enabled | 1.0.3 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Intrusion Detection | Microsoft Defender for Storage should be enabled | 1.0.0 |
| Plan for Incident Response and Information Sharing | 7.1 | Cyber Incident Response Planning | Email notification for high severity alerts should be enabled | 1.1.0 |
| Plan for Incident Response and Information Sharing | 7.1 | Cyber Incident Response Planning | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Plan for Incident Response and Information Sharing | 7.1 | Cyber Incident Response Planning | Subscriptions should have a contact email address for security issues | 1.0.1 |
SWIFT CSP-CSCF v2022
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2022. For more information about this compliance standard, see SWIFT CSP CSCF v2022.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | Check for privacy and security compliance before establishing internal connections | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | Ensure external providers consistently meet interests of the customers | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | Implement system boundary protection | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.1 | Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. | Undergo independent security review | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Audit privileged functions | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Define and enforce conditions for shared and group accounts | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Design an access control model | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Develop and establish a system security plan | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Develop information security policies and procedures | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Employ least privilege access | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Establish a privacy program | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Implement security engineering principles of information systems | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Monitor account activity | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Monitor privileged role assignment | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Restrict access to privileged accounts | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Revoke privileged roles as appropriate | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | There should be more than one owner assigned to your subscription | 3.0.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.2 | Restrict and control the allocation and usage of administrator-level operating system accounts. | Use privileged identity management | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.3 | Secure the virtualisation platform and virtual machines (VMs) that host SWIFT-related components to the same level as physical systems. | Implement system boundary protection | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Authorize remote access | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Define cryptographic use | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Document and implement wireless access guidelines | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Document mobility training | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Document remote access guidelines | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Implement controls to secure alternate work sites | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Protect wireless access | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.4 | Control/Protect Internet access from operator PCs and systems within the secure zone. | Provide privacy training | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Control information flow | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Employ boundary protection to isolate information systems | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Employ restrictions on external system interconnections | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Establish firewall and router configuration standards | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Establish network segmentation for card holder data environment | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Identify and manage downstream information exchanges | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Implement managed interface for each external service | 1.1.0 |
| 1. Restrict Internet Access & Protect Critical Systems from General IT Environment | 1.5A | Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. | Implement system boundary protection | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Configure actions for noncompliant devices | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Configure workstations to check for digital certificates | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Control information flow | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Define a physical key management process | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Define cryptographic use | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Define organizational requirements for cryptographic key management | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Determine assertion requirements | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Develop and maintain baseline configurations | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Employ boundary protection to isolate information systems | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Enforce random unique session identifiers | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Enforce security configuration settings | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Establish a configuration control board | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Establish a data leakage management procedure | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Establish and document a configuration management plan | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Establish backup policies and procedures | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Implement an automated configuration management tool | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Implement controls to secure all media | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Implement system boundary protection | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Information flow control using security policy filters | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Isolate SecurID systems, Security Incident Management systems | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Issue public key certificates | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Maintain availability of information | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Manage symmetric cryptographic keys | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Notify users of system logon or access | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Produce, control and distribute asymmetric cryptographic keys | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Produce, control and distribute symmetric cryptographic keys | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Protect data in transit using encryption | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Protect passwords with encryption | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Protect special information | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Remediate information system flaws | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Restrict access to private keys | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Secure the interface to external systems | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Correlate Vulnerability scan information | 1.1.1 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Disseminate security alerts to personnel | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Perform vulnerability scans | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Remediate information system flaws | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Use automated mechanisms for security alerts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Automate proposed documented changes | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Conduct a security impact analysis | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Configure actions for noncompliant devices | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Develop and maintain a vulnerability management standard | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Develop and maintain baseline configurations | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Enforce security configuration settings | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Establish a configuration control board | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Establish a risk management strategy | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Establish and document a configuration management plan | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Establish and document change control processes | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Establish configuration management requirements for developers | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Implement an automated configuration management tool | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Perform a privacy impact assessment | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Perform a risk assessment | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Perform audit for configuration change control | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Retain previous versions of baseline configs | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4 | Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. | Conduct backup of information system documentation | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4 | Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. | Configure workstations to check for digital certificates | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4 | Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. | Establish backup policies and procedures | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4 | Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. | Implement controls to secure all media | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4 | Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. | Notify users of system logon or access | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4 | Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. | Protect data in transit using encryption | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4 | Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. | Protect passwords with encryption | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5 | Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. | Conduct backup of information system documentation | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5 | Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. | Configure workstations to check for digital certificates | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5 | Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. | Establish backup policies and procedures | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5 | Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. | Implement controls to secure all media | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5 | Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. | Manage the transportation of assets | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5 | Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. | Protect data in transit using encryption | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5 | Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. | Protect passwords with encryption | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | Audit virtual machines without disaster recovery configured | 1.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Authorize remote access | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Configure workstations to check for digital certificates | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Document and implement wireless access guidelines | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Document mobility training | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Document remote access guidelines | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Identify and authenticate network devices | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Implement controls to secure alternate work sites | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Protect data in transit using encryption | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Protect passwords with encryption | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Protect wireless access | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Provide privacy training | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Reauthenticate or terminate a user session | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Azure Defender for App Service should be enabled | 1.0.3 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Azure Defender for servers should be enabled | 1.0.3 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Correlate Vulnerability scan information | 1.1.1 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Implement privileged access for executing vulnerability scanning activities | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Incorporate flaw remediation into configuration management | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Observe and report security weaknesses | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Perform a trend analysis on threats | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Perform threat modeling | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Perform vulnerability scans | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.7 | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. | Remediate information system flaws | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8.5 | Ensure a consistent and effective approach for the customers' messaging monitoring. | Assess risk in third party relationships | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8.5 | Ensure a consistent and effective approach for the customers' messaging monitoring. | Define and document government oversight | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8.5 | Ensure a consistent and effective approach for the customers' messaging monitoring. | Define requirements for supplying goods and services | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8.5 | Ensure a consistent and effective approach for the customers' messaging monitoring. | Determine supplier contract obligations | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8.5 | Ensure a consistent and effective approach for the customers' messaging monitoring. | Establish policies for supply chain risk management | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8.5 | Ensure a consistent and effective approach for the customers' messaging monitoring. | Require external service providers to comply with security requirements | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8.5 | Ensure a consistent and effective approach for the customers' messaging monitoring. | Review cloud service provider's compliance with policies and agreements | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8.5 | Ensure a consistent and effective approach for the customers' messaging monitoring. | Undergo independent security review | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Determine supplier contract obligations | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document acquisition contract acceptance criteria | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document protection of personal data in acquisition contracts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document protection of security information in acquisition contracts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document requirements for the use of shared data in contracts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document security assurance requirements in acquisition contracts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document security documentation requirements in acquisition contract | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document security functional requirements in acquisition contracts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document security strength requirements in acquisition contracts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document the information system environment in acquisition contracts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.8A | Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. | Document the protection of cardholder data in third party contracts | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.9 | Ensure outbound transaction activity within the expected bounds of normal business. | Authorize, monitor, and control voip | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.9 | Ensure outbound transaction activity within the expected bounds of normal business. | Control information flow | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.9 | Ensure outbound transaction activity within the expected bounds of normal business. | Employ flow control mechanisms of encrypted information | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.9 | Ensure outbound transaction activity within the expected bounds of normal business. | Implement system boundary protection | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.9 | Ensure outbound transaction activity within the expected bounds of normal business. | Manage gateways | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.9 | Ensure outbound transaction activity within the expected bounds of normal business. | Perform a trend analysis on threats | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.9 | Ensure outbound transaction activity within the expected bounds of normal business. | Route traffic through managed network access points | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Authorize access to security functions and information | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Authorize and manage access | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Design an access control model | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Employ least privilege access | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Enforce logical access | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Enforce mandatory and discretionary access control policies | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Reassign or remove user privileges as needed | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Require approval for account creation | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Review user groups and applications with access to sensitive data | 1.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.11A | Restrict transaction activity to validated and approved business counterparties. | Review user privileges | 1.1.0 |
| 3. Physically Secure the Environment | 3.1 | Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. | Control physical access | 1.1.0 |
| 3. Physically Secure the Environment | 3.1 | Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. | Define a physical key management process | 1.1.0 |
| 3. Physically Secure the Environment | 3.1 | Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. | Establish and maintain an asset inventory | 1.1.0 |
| 3. Physically Secure the Environment | 3.1 | Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 3. Physically Secure the Environment | 3.1 | Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. | Install an alarm system | 1.1.0 |
| 3. Physically Secure the Environment | 3.1 | Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. | Manage a secure surveillance camera system | 1.1.0 |
| 3. Physically Secure the Environment | 3.1 | Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. | Review and update physical and environmental policies and procedures | 1.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Document security strength requirements in acquisition contracts | 1.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Establish a password policy | 1.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Establish authenticator types and processes | 1.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Implement parameters for memorized secret verifiers | 1.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Manage authenticator lifetime and reuse | 1.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Protect passwords with encryption | 1.1.0 |
| 4. Prevent Compromise of Credentials | 4.2 | Prevent that a compromise of a single authentication factor allows access into SWIFT-related systems or applications by implementing multi-factor authentication. | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| 4. Prevent Compromise of Credentials | 4.2 | Prevent that a compromise of a single authentication factor allows access into SWIFT-related systems or applications by implementing multi-factor authentication. | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| 4. Prevent Compromise of Credentials | 4.2 | Prevent that a compromise of a single authentication factor allows access into SWIFT-related systems or applications by implementing multi-factor authentication. | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| 4. Prevent Compromise of Credentials | 4.2 | Prevent that a compromise of a single authentication factor allows access into SWIFT-related systems or applications by implementing multi-factor authentication. | Adopt biometric authentication mechanisms | 1.1.0 |
| 4. Prevent Compromise of Credentials | 4.2 | Prevent that a compromise of a single authentication factor allows access into SWIFT-related systems or applications by implementing multi-factor authentication. | Identify and authenticate network devices | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Assign account managers | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Audit user account status | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Automate account management | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Define access authorizations to support separation of duties | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Define information system account types | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Design an access control model | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Disable authenticators upon termination | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Document access privileges | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Document separation of duties | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Employ least privilege access | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Establish conditions for role membership | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Manage system and admin accounts | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Monitor access across the organization | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Monitor account activity | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Notify when account is not needed | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Protect audit information | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Reassign or remove user privileges as needed | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Require approval for account creation | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Restrict access to privileged accounts | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Review account provisioning logs | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Review user accounts | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Review user privileges | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Revoke privileged roles as appropriate | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Separate duties of individuals | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | There should be more than one owner assigned to your subscription | 3.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.2 | Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used). | Distribute authenticators | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.2 | Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used). | Establish authenticator types and processes | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.2 | Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used). | Establish procedures for initial authenticator distribution | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.2 | Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used). | Verify identity before distributing authenticators | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.3A | To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. | Clear personnel with access to classified information | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.3A | To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. | Ensure access agreements are signed or resigned timely | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.3A | To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. | Implement personnel screening | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.3A | To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. | Protect special information | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.3A | To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. | Rescreen individuals at a defined frequency | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.4 | Protect physically and logically the repository of recorded passwords. | Document security strength requirements in acquisition contracts | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.4 | Protect physically and logically the repository of recorded passwords. | Establish a password policy | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.4 | Protect physically and logically the repository of recorded passwords. | Implement parameters for memorized secret verifiers | 1.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.4 | Protect physically and logically the repository of recorded passwords. | Protect passwords with encryption | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Audit privileged functions | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Audit user account status | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Correlate audit records | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Correlate Vulnerability scan information | 1.1.1 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Determine auditable events | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Establish requirements for audit review and reporting | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Implement privileged access for executing vulnerability scanning activities | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Integrate audit review, analysis, and reporting | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Integrate cloud app security with a siem | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Manage gateways | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Observe and report security weaknesses | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Perform a trend analysis on threats | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Perform threat modeling | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Perform vulnerability scans | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Remediate information system flaws | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review account provisioning logs | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review administrator assignments weekly | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review audit data | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review cloud identity report overview | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review controlled folder access events | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review exploit protection events | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review file and folder activity | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review malware detections report weekly | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Review role group changes weekly | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Update antivirus definitions | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.1 | Ensure that local SWIFT infrastructure is protected against malware and act upon results. | Verify software, firmware and information integrity | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.2 | Ensure the software integrity of the SWIFT-related components and act upon results. | Configure workstations to check for digital certificates | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.2 | Ensure the software integrity of the SWIFT-related components and act upon results. | Employ automatic shutdown/restart when violations are detected | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.2 | Ensure the software integrity of the SWIFT-related components and act upon results. | Protect data in transit using encryption | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.2 | Ensure the software integrity of the SWIFT-related components and act upon results. | Protect passwords with encryption | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.2 | Ensure the software integrity of the SWIFT-related components and act upon results. | Verify software, firmware and information integrity | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.2 | Ensure the software integrity of the SWIFT-related components and act upon results. | View and configure system diagnostic data | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.3 | Ensure the integrity of the database records for the SWIFT messaging interface or the customer connector and act upon results. | Verify software, firmware and information integrity | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.3 | Ensure the integrity of the database records for the SWIFT messaging interface or the customer connector and act upon results. | View and configure system diagnostic data | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Activity log should be retained for at least one year | 1.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Audit privileged functions | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Audit user account status | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Audit virtual machines without disaster recovery configured | 1.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Auto provisioning of the Log Analytics agent should be enabled on your subscription | 1.0.1 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Azure Defender for App Service should be enabled | 1.0.3 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Azure Defender for servers should be enabled | 1.0.3 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | 1.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Azure Monitor should collect activity logs from all regions | 2.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Azure Monitor solution 'Security and Audit' must be deployed | 1.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Correlate audit records | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Determine auditable events | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Establish requirements for audit review and reporting | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Integrate audit review, analysis, and reporting | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Integrate cloud app security with a siem | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Perform vulnerability scans | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Provide real-time alerts for audit event failures | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Remediate information system flaws | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Review account provisioning logs | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Review administrator assignments weekly | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Review audit data | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Review cloud identity report overview | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Review controlled folder access events | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Review exploit protection events | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Review file and folder activity | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Record security events and detect anomalous actions and operations within the local SWIFT environment. | Review role group changes weekly | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Alert personnel of information spillage | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Authorize, monitor, and control voip | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Azure Defender for App Service should be enabled | 1.0.3 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Azure Defender for Key Vault should be enabled | 1.0.3 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Azure Defender for servers should be enabled | 1.0.3 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Detect network services that have not been authorized or approved | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Develop an incident response plan | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Document security operations | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Implement system boundary protection | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Manage gateways | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Microsoft Defender for Storage should be enabled | 1.0.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Route traffic through managed network access points | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| 6. Detect Anomalous Activity to Systems or Transaction Records | 6.5A | Detect and contain anomalous network activity into and within the local or remote SWIFT environment. | Turn on sensors for endpoint security solution | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.1 | Ensure a consistent and effective approach for the management of cyber incidents. | Address information security issues | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.1 | Ensure a consistent and effective approach for the management of cyber incidents. | Email notification for high severity alerts should be enabled | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.1 | Ensure a consistent and effective approach for the management of cyber incidents. | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.1 | Ensure a consistent and effective approach for the management of cyber incidents. | Identify classes of Incidents and Actions taken | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.1 | Ensure a consistent and effective approach for the management of cyber incidents. | Incorporate simulated events into incident response training | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.1 | Ensure a consistent and effective approach for the management of cyber incidents. | Provide information spillage training | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.1 | Ensure a consistent and effective approach for the management of cyber incidents. | Review and update incident response policies and procedures | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.1 | Ensure a consistent and effective approach for the management of cyber incidents. | Subscriptions should have a contact email address for security issues | 1.0.1 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Document security and privacy training activities | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide periodic role-based security training | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide periodic security awareness training | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide privacy training | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide role-based practical exercises | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide role-based security training | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide role-based training on suspicious activities | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide security awareness training for insider threats | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide security training before providing access | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide security training for new users | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.2 | Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. | Provide updated security awareness training | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.3A | Validate the operational security configuration and identify security gaps by performing penetration testing. | Employ independent team for penetration testing | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.3A | Validate the operational security configuration and identify security gaps by performing penetration testing. | Require developers to build security architecture | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.4A | Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. | Conduct Risk Assessment | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.4A | Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. | Conduct risk assessment and distribute its results | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.4A | Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. | Conduct risk assessment and document its results | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.4A | Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. | Establish a risk management strategy | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.4A | Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. | Implement the risk management strategy | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.4A | Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. | Perform a risk assessment | 1.1.0 |
| 7. Plan for Incident Response and Information Sharing | 7.4A | Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. | Review and update risk assessment policies and procedures | 1.1.0 |
| 8. Set and Monitor Performance | 8.1 | Ensure availability by formally setting and monitoring the objectives to be achieved | Coordinate contingency plans with related plans | 1.1.0 |
| 8. Set and Monitor Performance | 8.1 | Ensure availability by formally setting and monitoring the objectives to be achieved | Develop contingency plan | 1.1.0 |
| 8. Set and Monitor Performance | 8.1 | Ensure availability by formally setting and monitoring the objectives to be achieved | Obtain legal opinion for monitoring system activities | 1.1.0 |
| 8. Set and Monitor Performance | 8.1 | Ensure availability by formally setting and monitoring the objectives to be achieved | Perform a trend analysis on threats | 1.1.0 |
| 8. Set and Monitor Performance | 8.1 | Ensure availability by formally setting and monitoring the objectives to be achieved | Plan for continuance of essential business functions | 1.1.0 |
| 8. Set and Monitor Performance | 8.1 | Ensure availability by formally setting and monitoring the objectives to be achieved | Plan for resumption of essential business functions | 1.1.0 |
| 8. Set and Monitor Performance | 8.1 | Ensure availability by formally setting and monitoring the objectives to be achieved | Provide monitoring information as needed | 1.1.0 |
| 8. Set and Monitor Performance | 8.1 | Ensure availability by formally setting and monitoring the objectives to be achieved | Resume all mission and business functions | 1.1.0 |
| 8. Set and Monitor Performance | 8.4 | Ensure availability, capacity, and quality of services to customers | Conduct capacity planning | 1.1.0 |
| 8. Set and Monitor Performance | 8.4 | Ensure availability, capacity, and quality of services to customers | Coordinate contingency plans with related plans | 1.1.0 |
| 8. Set and Monitor Performance | 8.4 | Ensure availability, capacity, and quality of services to customers | Create alternative actions for identified anomalies | 1.1.0 |
| 8. Set and Monitor Performance | 8.4 | Ensure availability, capacity, and quality of services to customers | Develop contingency plan | 1.1.0 |
| 8. Set and Monitor Performance | 8.4 | Ensure availability, capacity, and quality of services to customers | Notify personnel of any failed security verification tests | 1.1.0 |
| 8. Set and Monitor Performance | 8.4 | Ensure availability, capacity, and quality of services to customers | Perform security function verification at a defined frequency | 1.1.0 |
| 8. Set and Monitor Performance | 8.4 | Ensure availability, capacity, and quality of services to customers | Plan for continuance of essential business functions | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Address coding vulnerabilities | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Develop and document application security requirements | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Document the information system environment in acquisition contracts | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Establish a secure software development program | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Perform vulnerability scans | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Remediate information system flaws | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Require developers to document approved changes and potential impact | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Require developers to implement only approved changes | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Require developers to manage change integrity | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Require developers to produce evidence of security assessment plan execution | 1.1.0 |
| 8. Set and Monitor Performance | 8.5 | Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. | Verify software, firmware and information integrity | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.1 | Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. | Conduct incident response testing | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.1 | Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. | Coordinate contingency plans with related plans | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.1 | Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. | Develop contingency plan | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.1 | Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. | Develop contingency planning policies and procedures | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.1 | Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. | Distribute policies and procedures | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.1 | Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. | Establish an information security program | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.1 | Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. | Provide contingency training | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.1 | Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. | Run simulation attacks | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Conduct backup of information system documentation | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Create separate alternate and primary storage sites | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Ensure alternate storage site safeguards are equivalent to primary site | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Establish alternate storage site that facilitates recovery operations | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Establish alternate storage site to store and retrieve backup information | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Establish an alternate processing site | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Establish requirements for internet service providers | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Identify and mitigate potential issues at alternate storage site | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Prepare alternate processing site for use as operational site | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Recover and reconstitute resources after any disruption | 1.1.1 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Restore resources to operational state | 1.1.1 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Separately store backup information | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.2 | Providers must ensure that the service remains available for customers in the event of a site disaster. | Transfer backup information to an alternate storage site | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.3 | Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. | Develop and document a business continuity and disaster recovery plan | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.3 | Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. | Develop contingency plan | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.3 | Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. | Employ automatic emergency lighting | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.3 | Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. | Implement a penetration testing methodology | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.3 | Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.3 | Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. | Review and update physical and environmental policies and procedures | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.3 | Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. | Run simulation attacks | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.4 | Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth | Authorize, monitor, and control voip | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.4 | Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth | Conduct capacity planning | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.4 | Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth | Implement system boundary protection | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.4 | Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth | Manage gateways | 1.1.0 |
| 9. Ensure Availability through Resilience | 9.4 | Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth | Route traffic through managed network access points | 1.1.0 |
| 10. Be Ready in case of Major Disaster | 10.1 | Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers). | Coordinate contingency plans with related plans | 1.1.0 |
| 10. Be Ready in case of Major Disaster | 10.1 | Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers). | Develop contingency plan | 1.1.0 |
| 10. Be Ready in case of Major Disaster | 10.1 | Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers). | Plan for continuance of essential business functions | 1.1.0 |
| 10. Be Ready in case of Major Disaster | 10.1 | Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers). | Plan for resumption of essential business functions | 1.1.0 |
| 10. Be Ready in case of Major Disaster | 10.1 | Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers). | Resume all mission and business functions | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.1 | Ensure a consistent and effective approach for the event monitoring and escalation. | Document security operations | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.1 | Ensure a consistent and effective approach for the event monitoring and escalation. | Obtain legal opinion for monitoring system activities | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.1 | Ensure a consistent and effective approach for the event monitoring and escalation. | Perform a trend analysis on threats | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.1 | Ensure a consistent and effective approach for the event monitoring and escalation. | Provide monitoring information as needed | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.1 | Ensure a consistent and effective approach for the event monitoring and escalation. | Turn on sensors for endpoint security solution | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Assess information security events | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Conduct incident response testing | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Develop an incident response plan | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Develop security safeguards | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Document security operations | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Enable network protection | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Eradicate contaminated information | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Establish an information security program | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Execute actions in response to information spills | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Identify classes of Incidents and Actions taken | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Implement incident handling | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Incorporate simulated events into incident response training | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Maintain data breach records | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Maintain incident response plan | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Perform a trend analysis on threats | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Protect incident response plan | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Provide information spillage training | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Review and update incident response policies and procedures | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | Run simulation attacks | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.2 | Ensure a consistent and effective approach for the management of incidents (Problem Management). | View and investigate restricted users | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Automate process to document implemented changes | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Automate process to highlight unreviewed change proposals | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Develop an incident response plan | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Document security operations | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Enable network protection | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Eradicate contaminated information | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Establish and document change control processes | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Establish configuration management requirements for developers | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Establish relationship between incident response capability and external providers | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Execute actions in response to information spills | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Implement incident handling | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Perform a trend analysis on threats | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | Perform audit for configuration change control | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.4 | Ensure an adequate escalation of operational malfunctions in case of customer impact. | View and investigate restricted users | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Develop an incident response plan | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Document security operations | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Enable network protection | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Eradicate contaminated information | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Establish relationship between incident response capability and external providers | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Execute actions in response to information spills | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Identify incident response personnel | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Implement incident handling | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | Perform a trend analysis on threats | 1.1.0 |
| 11. Monitor in case of Major Disaster | 11.5 | Effective support is offered to customers in case they face problems during their business hours. | View and investigate restricted users | 1.1.0 |
| 12. Ensure Knowledge is Available | 12.1 | Ensure quality of service to customers through SWIFT certified employees. | Provide periodic role-based security training | 1.1.0 |
| 12. Ensure Knowledge is Available | 12.1 | Ensure quality of service to customers through SWIFT certified employees. | Provide role-based security training | 1.1.0 |
| 12. Ensure Knowledge is Available | 12.1 | Ensure quality of service to customers through SWIFT certified employees. | Provide security training before providing access | 1.1.0 |
System and Organization Controls (SOC) 2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for System and Organization Controls (SOC) 2. For more information about this compliance standard, see System and Organization Controls (SOC) 2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Additional Criteria For Availability | A1.1 | Capacity management | Conduct capacity planning | 1.1.0 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Employ automatic emergency lighting | 1.1.0 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Establish an alternate processing site | 1.1.0 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Implement a penetration testing methodology | 1.1.0 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Install an alarm system | 1.1.0 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Recover and reconstitute resources after any disruption | 1.1.1 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Run simulation attacks | 1.1.0 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Separately store backup information | 1.1.0 |
| Additional Criteria For Availability | A1.2 | Environmental protections, software, data back-up processes, and recovery infrastructure | Transfer backup information to an alternate storage site | 1.1.0 |
| Additional Criteria For Availability | A1.3 | Recovery plan testing | Coordinate contingency plans with related plans | 1.1.0 |
| Additional Criteria For Availability | A1.3 | Recovery plan testing | Initiate contingency plan testing corrective actions | 1.1.0 |
| Additional Criteria For Availability | A1.3 | Recovery plan testing | Review the results of contingency plan testing | 1.1.0 |
| Additional Criteria For Availability | A1.3 | Recovery plan testing | Test the business continuity and disaster recovery plan | 1.1.0 |
| Additional Criteria For Confidentiality | C1.1 | Protection of confidential information | Control physical access | 1.1.0 |
| Additional Criteria For Confidentiality | C1.1 | Protection of confidential information | Manage the input, output, processing, and storage of data | 1.1.0 |
| Additional Criteria For Confidentiality | C1.1 | Protection of confidential information | Review label activity and analytics | 1.1.0 |
| Additional Criteria For Confidentiality | C1.2 | Disposal of confidential information | Control physical access | 1.1.0 |
| Additional Criteria For Confidentiality | C1.2 | Disposal of confidential information | Manage the input, output, processing, and storage of data | 1.1.0 |
| Additional Criteria For Confidentiality | C1.2 | Disposal of confidential information | Review label activity and analytics | 1.1.0 |
| Control Environment | CC1.1 | COSO Principle 1 | Develop acceptable use policies and procedures | 1.1.0 |
| Control Environment | CC1.1 | COSO Principle 1 | Develop organization code of conduct policy | 1.1.0 |
| Control Environment | CC1.1 | COSO Principle 1 | Document personnel acceptance of privacy requirements | 1.1.0 |
| Control Environment | CC1.1 | COSO Principle 1 | Enforce rules of behavior and access agreements | 1.1.0 |
| Control Environment | CC1.1 | COSO Principle 1 | Prohibit unfair practices | 1.1.0 |
| Control Environment | CC1.1 | COSO Principle 1 | Review and sign revised rules of behavior | 1.1.0 |
| Control Environment | CC1.1 | COSO Principle 1 | Update rules of behavior and access agreements | 1.1.0 |
| Control Environment | CC1.1 | COSO Principle 1 | Update rules of behavior and access agreements every 3 years | 1.1.0 |
| Control Environment | CC1.2 | COSO Principle 2 | Appoint a senior information security officer | 1.1.0 |
| Control Environment | CC1.2 | COSO Principle 2 | Develop and establish a system security plan | 1.1.0 |
| Control Environment | CC1.2 | COSO Principle 2 | Establish a risk management strategy | 1.1.0 |
| Control Environment | CC1.2 | COSO Principle 2 | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Control Environment | CC1.2 | COSO Principle 2 | Implement security engineering principles of information systems | 1.1.0 |
| Control Environment | CC1.3 | COSO Principle 3 | Appoint a senior information security officer | 1.1.0 |
| Control Environment | CC1.3 | COSO Principle 3 | Develop and establish a system security plan | 1.1.0 |
| Control Environment | CC1.3 | COSO Principle 3 | Establish a risk management strategy | 1.1.0 |
| Control Environment | CC1.3 | COSO Principle 3 | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Control Environment | CC1.3 | COSO Principle 3 | Implement security engineering principles of information systems | 1.1.0 |
| Control Environment | CC1.4 | COSO Principle 4 | Provide periodic role-based security training | 1.1.0 |
| Control Environment | CC1.4 | COSO Principle 4 | Provide periodic security awareness training | 1.1.0 |
| Control Environment | CC1.4 | COSO Principle 4 | Provide role-based practical exercises | 1.1.0 |
| Control Environment | CC1.4 | COSO Principle 4 | Provide security training before providing access | 1.1.0 |
| Control Environment | CC1.4 | COSO Principle 4 | Provide security training for new users | 1.1.0 |
| Control Environment | CC1.5 | COSO Principle 5 | Develop acceptable use policies and procedures | 1.1.0 |
| Control Environment | CC1.5 | COSO Principle 5 | Enforce rules of behavior and access agreements | 1.1.0 |
| Control Environment | CC1.5 | COSO Principle 5 | Implement formal sanctions process | 1.1.0 |
| Control Environment | CC1.5 | COSO Principle 5 | Notify personnel upon sanctions | 1.1.0 |
| Communication and Information | CC2.1 | COSO Principle 13 | Control physical access | 1.1.0 |
| Communication and Information | CC2.1 | COSO Principle 13 | Manage the input, output, processing, and storage of data | 1.1.0 |
| Communication and Information | CC2.1 | COSO Principle 13 | Review label activity and analytics | 1.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Develop acceptable use policies and procedures | 1.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Email notification for high severity alerts should be enabled | 1.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Enforce rules of behavior and access agreements | 1.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Provide periodic role-based security training | 1.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Provide periodic security awareness training | 1.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Provide security training before providing access | 1.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Provide security training for new users | 1.1.0 |
| Communication and Information | CC2.2 | COSO Principle 14 | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Communication and Information | CC2.3 | COSO Principle 15 | Define the duties of processors | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Deliver security assessment results | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Develop and establish a system security plan | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Email notification for high severity alerts should be enabled | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Establish security requirements for the manufacturing of connected devices | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Establish third-party personnel security requirements | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Implement privacy notice delivery methods | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Implement security engineering principles of information systems | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Produce Security Assessment report | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Provide privacy notice | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Restrict communications | 1.1.0 |
| Communication and Information | CC2.3 | COSO Principle 15 | Subscriptions should have a contact email address for security issues | 1.0.1 |
| Risk Assessment | CC3.1 | COSO Principle 6 | Categorize information | 1.1.0 |
| Risk Assessment | CC3.1 | COSO Principle 6 | Determine information protection needs | 1.1.0 |
| Risk Assessment | CC3.1 | COSO Principle 6 | Develop business classification schemes | 1.1.0 |
| Risk Assessment | CC3.1 | COSO Principle 6 | Develop SSP that meets criteria | 1.1.0 |
| Risk Assessment | CC3.1 | COSO Principle 6 | Establish a risk management strategy | 1.1.0 |
| Risk Assessment | CC3.1 | COSO Principle 6 | Perform a risk assessment | 1.1.0 |
| Risk Assessment | CC3.1 | COSO Principle 6 | Review label activity and analytics | 1.1.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | Categorize information | 1.1.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | Determine information protection needs | 1.1.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | Develop business classification schemes | 1.1.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | Establish a risk management strategy | 1.1.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | Perform a risk assessment | 1.1.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | Perform vulnerability scans | 1.1.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | Remediate information system flaws | 1.1.0 |
| Risk Assessment | CC3.2 | COSO Principle 7 | Review label activity and analytics | 1.1.0 |
| Risk Assessment | CC3.3 | COSO Principle 8 | Perform a risk assessment | 1.1.0 |
| Risk Assessment | CC3.4 | COSO Principle 9 | Assess risk in third party relationships | 1.1.0 |
| Risk Assessment | CC3.4 | COSO Principle 9 | Define requirements for supplying goods and services | 1.1.0 |
| Risk Assessment | CC3.4 | COSO Principle 9 | Determine supplier contract obligations | 1.1.0 |
| Risk Assessment | CC3.4 | COSO Principle 9 | Establish a risk management strategy | 1.1.0 |
| Risk Assessment | CC3.4 | COSO Principle 9 | Establish policies for supply chain risk management | 1.1.0 |
| Risk Assessment | CC3.4 | COSO Principle 9 | Perform a risk assessment | 1.1.0 |
| Monitoring Activities | CC4.1 | COSO Principle 16 | Assess Security Controls | 1.1.0 |
| Monitoring Activities | CC4.1 | COSO Principle 16 | Develop security assessment plan | 1.1.0 |
| Monitoring Activities | CC4.1 | COSO Principle 16 | Select additional testing for security control assessments | 1.1.0 |
| Monitoring Activities | CC4.2 | COSO Principle 17 | Deliver security assessment results | 1.1.0 |
| Monitoring Activities | CC4.2 | COSO Principle 17 | Produce Security Assessment report | 1.1.0 |
| Control Activities | CC5.1 | COSO Principle 10 | Establish a risk management strategy | 1.1.0 |
| Control Activities | CC5.1 | COSO Principle 10 | Perform a risk assessment | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Design an access control model | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Determine supplier contract obligations | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document acquisition contract acceptance criteria | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document protection of personal data in acquisition contracts | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document protection of security information in acquisition contracts | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document requirements for the use of shared data in contracts | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document security documentation requirements in acquisition contract | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document security functional requirements in acquisition contracts | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document security strength requirements in acquisition contracts | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document the information system environment in acquisition contracts | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Employ least privilege access | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Control Activities | CC5.2 | COSO Principle 11 | Perform a risk assessment | 1.1.0 |
| Control Activities | CC5.2 | COSO Principle 11 | There should be more than one owner assigned to your subscription | 3.0.0 |
| Control Activities | CC5.3 | COSO Principle 12 | Configure detection whitelist | 1.1.0 |
| Control Activities | CC5.3 | COSO Principle 12 | Perform a risk assessment | 1.1.0 |
| Control Activities | CC5.3 | COSO Principle 12 | Turn on sensors for endpoint security solution | 1.1.0 |
| Control Activities | CC5.3 | COSO Principle 12 | Undergo independent security review | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Adopt biometric authentication mechanisms | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Authorize access to security functions and information | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Authorize and manage access | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Authorize remote access | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Control information flow | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Control physical access | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Create a data inventory | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Define a physical key management process | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Define cryptographic use | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Define organizational requirements for cryptographic key management | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Design an access control model | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Determine assertion requirements | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Document mobility training | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Document remote access guidelines | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Employ least privilege access | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Enforce logical access | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Enforce mandatory and discretionary access control policies | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Establish a data leakage management procedure | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Establish firewall and router configuration standards | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Establish network segmentation for card holder data environment | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Identify and manage downstream information exchanges | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Implement controls to secure alternate work sites | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Implement physical security for offices, working areas, and secure areas | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Issue public key certificates | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Maintain records of processing of personal data | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Manage symmetric cryptographic keys | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Manage the input, output, processing, and storage of data | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Notify users of system logon or access | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Protect data in transit using encryption | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Protect special information | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Provide privacy training | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Require approval for account creation | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Restrict access to private keys | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Review user groups and applications with access to sensitive data | 1.1.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | There should be more than one owner assigned to your subscription | 3.0.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Assign account managers | 1.1.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Audit user account status | 1.1.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Document access privileges | 1.1.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Establish conditions for role membership | 1.1.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Require approval for account creation | 1.1.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Restrict access to privileged accounts | 1.1.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Review account provisioning logs | 1.1.0 |
| Logical and Physical Access Controls | CC6.2 | Access provisioning and removal | Review user accounts | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | A maximum of 3 owners should be designated for your subscription | 3.0.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Audit privileged functions | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Audit user account status | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Design an access control model | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Employ least privilege access | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Monitor privileged role assignment | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Restrict access to privileged accounts | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Review account provisioning logs | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Review user accounts | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Review user privileges | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Revoke privileged roles as appropriate | 1.1.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | There should be more than one owner assigned to your subscription | 3.0.0 |
| Logical and Physical Access Controls | CC6.3 | Rol based access and least privilege | Use privileged identity management | 1.1.0 |
| Logical and Physical Access Controls | CC6.4 | Restricted physical access | Control physical access | 1.1.0 |
| Logical and Physical Access Controls | CC6.5 | Logical and physical protections over physical assets | Employ a media sanitization mechanism | 1.1.0 |
| Logical and Physical Access Controls | CC6.5 | Logical and physical protections over physical assets | Implement controls to secure all media | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Adopt biometric authentication mechanisms | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Authorize remote access | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Control information flow | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Document mobility training | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Document remote access guidelines | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Establish firewall and router configuration standards | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Establish network segmentation for card holder data environment | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Identify and authenticate network devices | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Identify and manage downstream information exchanges | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Implement controls to secure alternate work sites | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Implement system boundary protection | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Notify users of system logon or access | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Protect data in transit using encryption | 1.1.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Provide privacy training | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Configure workstations to check for digital certificates | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Control information flow | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Define mobile device requirements | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Employ a media sanitization mechanism | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Employ flow control mechanisms of encrypted information | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Establish firewall and router configuration standards | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Establish network segmentation for card holder data environment | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Identify and manage downstream information exchanges | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Implement controls to secure all media | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Manage the transportation of assets | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Protect data in transit using encryption | 1.1.0 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Protect passwords with encryption | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Block untrusted and unsigned processes that run from USB | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Manage gateways | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Perform a trend analysis on threats | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Perform vulnerability scans | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Review malware detections report weekly | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Review threat protection status weekly | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Update antivirus definitions | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Verify software, firmware and information integrity | 1.1.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | View and configure system diagnostic data | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Configure actions for noncompliant devices | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Develop and maintain baseline configurations | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Enable detection of network devices | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Enforce security configuration settings | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Establish a configuration control board | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Establish and document a configuration management plan | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Implement an automated configuration management tool | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Perform vulnerability scans | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Remediate information system flaws | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Set automated notifications for new and trending cloud applications in your organization | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | Verify software, firmware and information integrity | 1.1.0 |
| System Operations | CC7.1 | Detection and monitoring of new vulnerabilities | View and configure system diagnostic data | 1.1.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | An activity log alert should exist for specific Administrative operations | 1.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | An activity log alert should exist for specific Policy operations | 3.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | An activity log alert should exist for specific Security operations | 1.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Azure Defender for App Service should be enabled | 1.0.3 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Azure Defender for Azure SQL Database servers should be enabled | 1.0.2 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Azure Defender for Key Vault should be enabled | 1.0.3 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Azure Defender for open-source relational databases should be enabled | 1.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Azure Defender for Resource Manager should be enabled | 1.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Azure Defender for servers should be enabled | 1.0.3 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Azure Defender for SQL servers on machines should be enabled | 1.0.2 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Detect network services that have not been authorized or approved | 1.1.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Govern and monitor audit processing activities | 1.1.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Microsoft Defender for Containers should be enabled | 1.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Microsoft Defender for Storage should be enabled | 1.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Perform a trend analysis on threats | 1.1.0 |
| System Operations | CC7.3 | Security incidents detection | Review and update incident response policies and procedures | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Assess information security events | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Coordinate contingency plans with related plans | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Develop an incident response plan | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Develop security safeguards | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Email notification for high severity alerts should be enabled | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| System Operations | CC7.4 | Security incidents response | Enable network protection | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Eradicate contaminated information | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Execute actions in response to information spills | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Identify classes of Incidents and Actions taken | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Implement incident handling | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Include dynamic reconfig of customer deployed resources | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Maintain incident response plan | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Perform a trend analysis on threats | 1.1.0 |
| System Operations | CC7.4 | Security incidents response | Subscriptions should have a contact email address for security issues | 1.0.1 |
| System Operations | CC7.4 | Security incidents response | View and investigate restricted users | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Assess information security events | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Conduct incident response testing | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Coordinate contingency plans with related plans | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Coordinate with external organizations to achieve cross org perspective | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Develop an incident response plan | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Develop security safeguards | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Email notification for high severity alerts should be enabled | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Email notification to subscription owner for high severity alerts should be enabled | 2.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Enable network protection | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Eradicate contaminated information | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Establish an information security program | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Execute actions in response to information spills | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Implement incident handling | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Maintain incident response plan | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Perform a trend analysis on threats | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Run simulation attacks | 1.1.0 |
| System Operations | CC7.5 | Recovery from identified security incidents | Subscriptions should have a contact email address for security issues | 1.0.1 |
| System Operations | CC7.5 | Recovery from identified security incidents | View and investigate restricted users | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Conduct a security impact analysis | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Configure actions for noncompliant devices | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Develop and maintain a vulnerability management standard | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Develop and maintain baseline configurations | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Enforce security configuration settings | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Establish a configuration control board | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Establish a risk management strategy | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Establish and document a configuration management plan | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Establish and document change control processes | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Establish configuration management requirements for developers | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Implement an automated configuration management tool | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Perform a privacy impact assessment | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Perform a risk assessment | 1.1.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Perform audit for configuration change control | 1.1.0 |
| Risk Mitigation | CC9.1 | Risk mitigation activities | Determine information protection needs | 1.1.0 |
| Risk Mitigation | CC9.1 | Risk mitigation activities | Establish a risk management strategy | 1.1.0 |
| Risk Mitigation | CC9.1 | Risk mitigation activities | Perform a risk assessment | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Assess risk in third party relationships | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Define requirements for supplying goods and services | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Define the duties of processors | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Determine supplier contract obligations | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document acquisition contract acceptance criteria | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document protection of personal data in acquisition contracts | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document protection of security information in acquisition contracts | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document requirements for the use of shared data in contracts | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document security documentation requirements in acquisition contract | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document security functional requirements in acquisition contracts | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document security strength requirements in acquisition contracts | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document the information system environment in acquisition contracts | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Establish policies for supply chain risk management | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Establish third-party personnel security requirements | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Monitor third-party provider compliance | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Record disclosures of PII to third parties | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Require third-party providers to comply with personnel security policies and procedures | 1.1.0 |
| Risk Mitigation | CC9.2 | Vendors and business partners risk management | Train staff on PII sharing and its consequences | 1.1.0 |
| Additional Criteria For Privacy | P1.1 | Privacy notice | Document and distribute a privacy policy | 1.1.0 |
| Additional Criteria For Privacy | P1.1 | Privacy notice | Ensure privacy program information is publicly available | 1.1.0 |
| Additional Criteria For Privacy | P1.1 | Privacy notice | Implement privacy notice delivery methods | 1.1.0 |
| Additional Criteria For Privacy | P1.1 | Privacy notice | Provide privacy notice | 1.1.0 |
| Additional Criteria For Privacy | P1.1 | Privacy notice | Provide privacy notice to the public and to individuals | 1.1.0 |
| Additional Criteria For Privacy | P2.1 | Privacy consent | Document personnel acceptance of privacy requirements | 1.1.0 |
| Additional Criteria For Privacy | P2.1 | Privacy consent | Implement privacy notice delivery methods | 1.1.0 |
| Additional Criteria For Privacy | P2.1 | Privacy consent | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Additional Criteria For Privacy | P2.1 | Privacy consent | Provide privacy notice | 1.1.0 |
| Additional Criteria For Privacy | P3.1 | Consistent personal information collection | Determine legal authority to collect PII | 1.1.0 |
| Additional Criteria For Privacy | P3.1 | Consistent personal information collection | Document process to ensure integrity of PII | 1.1.0 |
| Additional Criteria For Privacy | P3.1 | Consistent personal information collection | Evaluate and review PII holdings regularly | 1.1.0 |
| Additional Criteria For Privacy | P3.1 | Consistent personal information collection | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Additional Criteria For Privacy | P3.2 | Personal information explicit consent | Collect PII directly from the individual | 1.1.0 |
| Additional Criteria For Privacy | P3.2 | Personal information explicit consent | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Additional Criteria For Privacy | P4.1 | Personal information use | Document the legal basis for processing personal information | 1.1.0 |
| Additional Criteria For Privacy | P4.1 | Personal information use | Implement privacy notice delivery methods | 1.1.0 |
| Additional Criteria For Privacy | P4.1 | Personal information use | Obtain consent prior to collection or processing of personal data | 1.1.0 |
| Additional Criteria For Privacy | P4.1 | Personal information use | Provide privacy notice | 1.1.0 |
| Additional Criteria For Privacy | P4.1 | Personal information use | Restrict communications | 1.1.0 |
| Additional Criteria For Privacy | P4.2 | Personal information retention | Adhere to retention periods defined | 1.1.0 |
| Additional Criteria For Privacy | P4.2 | Personal information retention | Document process to ensure integrity of PII | 1.1.0 |
| Additional Criteria For Privacy | P4.3 | Personal information disposal | Perform disposition review | 1.1.0 |
| Additional Criteria For Privacy | P4.3 | Personal information disposal | Verify personal data is deleted at the end of processing | 1.1.0 |
| Additional Criteria For Privacy | P5.1 | Personal information access | Implement methods for consumer requests | 1.1.0 |
| Additional Criteria For Privacy | P5.1 | Personal information access | Publish rules and regulations accessing Privacy Act records | 1.1.0 |
| Additional Criteria For Privacy | P5.2 | Personal information correction | Respond to rectification requests | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Define the duties of processors | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Determine supplier contract obligations | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document acquisition contract acceptance criteria | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document protection of personal data in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document protection of security information in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document requirements for the use of shared data in contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document security documentation requirements in acquisition contract | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document security functional requirements in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document security strength requirements in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document the information system environment in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Establish privacy requirements for contractors and service providers | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Record disclosures of PII to third parties | 1.1.0 |
| Additional Criteria For Privacy | P6.1 | Personal information third party disclosure | Train staff on PII sharing and its consequences | 1.1.0 |
| Additional Criteria For Privacy | P6.2 | Authorized disclosure of personal information record | Keep accurate accounting of disclosures of information | 1.1.0 |
| Additional Criteria For Privacy | P6.3 | Unauthorized disclosure of personal information record | Keep accurate accounting of disclosures of information | 1.1.0 |
| Additional Criteria For Privacy | P6.4 | Third party agreements | Define the duties of processors | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Determine supplier contract obligations | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document acquisition contract acceptance criteria | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document protection of personal data in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document protection of security information in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document requirements for the use of shared data in contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document security assurance requirements in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document security documentation requirements in acquisition contract | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document security functional requirements in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document security strength requirements in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document the information system environment in acquisition contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Document the protection of cardholder data in third party contracts | 1.1.0 |
| Additional Criteria For Privacy | P6.5 | Third party unauthorized disclosure notification | Information security and personal data protection | 1.1.0 |
| Additional Criteria For Privacy | P6.6 | Privacy incident notification | Develop an incident response plan | 1.1.0 |
| Additional Criteria For Privacy | P6.6 | Privacy incident notification | Information security and personal data protection | 1.1.0 |
| Additional Criteria For Privacy | P6.7 | Accounting of disclosure of personal information | Implement privacy notice delivery methods | 1.1.0 |
| Additional Criteria For Privacy | P6.7 | Accounting of disclosure of personal information | Keep accurate accounting of disclosures of information | 1.1.0 |
| Additional Criteria For Privacy | P6.7 | Accounting of disclosure of personal information | Make accounting of disclosures available upon request | 1.1.0 |
| Additional Criteria For Privacy | P6.7 | Accounting of disclosure of personal information | Provide privacy notice | 1.1.0 |
| Additional Criteria For Privacy | P6.7 | Accounting of disclosure of personal information | Restrict communications | 1.1.0 |
| Additional Criteria For Privacy | P7.1 | Personal information quality | Confirm quality and integrity of PII | 1.1.0 |
| Additional Criteria For Privacy | P7.1 | Personal information quality | Issue guidelines for ensuring data quality and integrity | 1.1.0 |
| Additional Criteria For Privacy | P7.1 | Personal information quality | Verify inaccurate or outdated PII | 1.1.0 |
| Additional Criteria For Privacy | P8.1 | Privacy complaint management and compliance management | Document and implement privacy complaint procedures | 1.1.0 |
| Additional Criteria For Privacy | P8.1 | Privacy complaint management and compliance management | Evaluate and review PII holdings regularly | 1.1.0 |
| Additional Criteria For Privacy | P8.1 | Privacy complaint management and compliance management | Information security and personal data protection | 1.1.0 |
| Additional Criteria For Privacy | P8.1 | Privacy complaint management and compliance management | Respond to complaints, concerns, or questions timely | 1.1.0 |
| Additional Criteria For Privacy | P8.1 | Privacy complaint management and compliance management | Train staff on PII sharing and its consequences | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.1 | Data processing definitions | Implement privacy notice delivery methods | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.1 | Data processing definitions | Provide privacy notice | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.1 | Data processing definitions | Restrict communications | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.2 | System inputs over completeness and accuracy | Perform information input validation | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.3 | System processing | Control physical access | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.3 | System processing | Generate error messages | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.3 | System processing | Manage the input, output, processing, and storage of data | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.3 | System processing | Perform information input validation | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.3 | System processing | Review label activity and analytics | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.4 | System output is complete, accurate, and timely | Control physical access | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.4 | System output is complete, accurate, and timely | Manage the input, output, processing, and storage of data | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.4 | System output is complete, accurate, and timely | Review label activity and analytics | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.5 | Store inputs and outputs completely, accurately, and timely | Control physical access | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.5 | Store inputs and outputs completely, accurately, and timely | Establish backup policies and procedures | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.5 | Store inputs and outputs completely, accurately, and timely | Implement controls to secure all media | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.5 | Store inputs and outputs completely, accurately, and timely | Manage the input, output, processing, and storage of data | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.5 | Store inputs and outputs completely, accurately, and timely | Review label activity and analytics | 1.1.0 |
| Additional Criteria For Processing Integrity | PI1.5 | Store inputs and outputs completely, accurately, and timely | Separately store backup information | 1.1.0 |
UK OFFICIAL and UK NHS
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Identity and authentication | 10 | Identity and authentication | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identity and authentication | 10 | Identity and authentication | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identity and authentication | 10 | Identity and authentication | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Identity and authentication | 10 | Identity and authentication | Blocked accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Identity and authentication | 10 | Identity and authentication | Blocked accounts with read and write permissions on Azure resources should be removed | 1.0.0 |
| Identity and authentication | 10 | Identity and authentication | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Identity and authentication | 10 | Identity and authentication | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Identity and authentication | 10 | Identity and authentication | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
| Operational security | 5.3 | Protective Monitoring | Audit virtual machines without disaster recovery configured | 1.0.0 |
| Secure user management | 9.1 | Authentication of users to management interfaces and support channels | Accounts with owner permissions on Azure resources should be MFA enabled | 1.0.0 |
| Secure user management | 9.1 | Authentication of users to management interfaces and support channels | Accounts with read permissions on Azure resources should be MFA enabled | 1.0.0 |
| Secure user management | 9.1 | Authentication of users to management interfaces and support channels | Accounts with write permissions on Azure resources should be MFA enabled | 1.0.0 |
| Secure user management | 9.1 | Authentication of users to management interfaces and support channels | Guest accounts with owner permissions on Azure resources should be removed | 1.0.0 |
| Secure user management | 9.1 | Authentication of users to management interfaces and support channels | Guest accounts with read permissions on Azure resources should be removed | 1.0.0 |
| Secure user management | 9.1 | Authentication of users to management interfaces and support channels | Guest accounts with write permissions on Azure resources should be removed | 1.0.0 |
Next steps
- Learn more about Azure Policy Regulatory Compliance.
- See the built-ins on the Azure Policy GitHub repo.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for