Details of the FedRAMP High Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in FedRAMP High. For more information about this compliance standard, see FedRAMP High. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the FedRAMP High controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the FedRAMP High Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Access Control

Access Control Policy And Procedures

ID: FedRAMP High AC-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0

Account Management

ID: FedRAMP High AC-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Audit, Deny, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Automated System Account Management

ID: FedRAMP High AC-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Audit, Deny, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Disable Inactive Accounts

ID: FedRAMP High AC-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0

Automated Audit Actions

ID: FedRAMP High AC-2 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0

Inactivity Logout

ID: FedRAMP High AC-2 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce inactivity log policy CMA_C1017 - Define and enforce inactivity log policy Manual, Disabled 1.1.0

Role-Based Schemes

ID: FedRAMP High AC-2 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Audit, Deny, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Restrictions On Use Of Shared Groups / Accounts

ID: FedRAMP High AC-2 (9) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0

Shared / Group Account Credential Termination

ID: FedRAMP High AC-2 (10) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Manual, Disabled 1.1.0

Usage Conditions

ID: FedRAMP High AC-2 (11) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce appropriate usage of all accounts CMA_C1023 - Enforce appropriate usage of all accounts Manual, Disabled 1.1.0

Account Monitoring / Atypical Usage

ID: FedRAMP High AC-2 (12) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 6.0.0-preview
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0

Disable Accounts For High-Risk Individuals

ID: FedRAMP High AC-2 (13) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disable user accounts posing a significant risk CMA_C1026 - Disable user accounts posing a significant risk Manual, Disabled 1.1.0

Access Enforcement

ID: FedRAMP High AC-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 3.1.0
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. AuditIfNotExists, Disabled 3.2.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Audit, Deny, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Information Flow Enforcement

ID: FedRAMP High AC-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
[Preview]: Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. audit, Audit, deny, Deny, disabled, Disabled 3.1.0-preview
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Deny, Disabled 1.0.2
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.1
Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Audit, Deny, Disabled 3.1.0
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 3.2.1
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. [parameters('audit_effect')] 1.2.1
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Disabled 1.0.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Disabled 1.0.0
Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 3.0.1
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Audit, Deny, Disabled 2.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.1
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Security Policy Filters

ID: FedRAMP High AC-4 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0

Physical / Logical Separation Of Information Flows

ID: FedRAMP High AC-4 (21) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0

Separation Of Duties

ID: FedRAMP High AC-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Least Privilege

ID: FedRAMP High AC-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0

Authorize Access To Security Functions

ID: FedRAMP High AC-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0

Privileged Accounts

ID: FedRAMP High AC-6 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0

Review Of User Privileges

ID: FedRAMP High AC-6 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0

Privilege Levels For Code Execution

ID: FedRAMP High AC-6 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Manual, Disabled 1.1.0

Auditing Use Of Privileged Functions

ID: FedRAMP High AC-6 (9) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Unsuccessful Logon Attempts

ID: FedRAMP High AC-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Manual, Disabled 1.1.0

Concurrent Session Control

ID: FedRAMP High AC-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce the limit of concurrent sessions CMA_C1050 - Define and enforce the limit of concurrent sessions Manual, Disabled 1.1.0

Session Termination

ID: FedRAMP High AC-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0

User-Initiated Logouts / Message Displays

ID: FedRAMP High AC-12 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Display an explicit logout message CMA_C1056 - Display an explicit logout message Manual, Disabled 1.1.0
Provide the logout capability CMA_C1055 - Provide the logout capability Manual, Disabled 1.1.0

Permitted Actions Without Identification Or Authentication

ID: FedRAMP High AC-14 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0

Remote Access

ID: FedRAMP High AC-17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 3.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. [parameters('audit_effect')] 1.2.1
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Disabled 1.0.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Audit, Disabled, Deny 1.2.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Disabled 1.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Automated Monitoring / Control

ID: FedRAMP High AC-17 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 3.1.0
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. [parameters('audit_effect')] 1.2.1
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Disabled 1.0.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Audit, Disabled, Deny 1.2.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Disabled 1.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Protection Of Confidentiality / Integrity Using Encryption

ID: FedRAMP High AC-17 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

Managed Access Control Points

ID: FedRAMP High AC-17 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

Privileged Commands / Access

ID: FedRAMP High AC-17 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Authorize remote access to privileged commands CMA_C1064 - Authorize remote access to privileged commands Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0

Disconnect / Disable Access

ID: FedRAMP High AC-17 (9) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide capability to disconnect or disable remote access CMA_C1066 - Provide capability to disconnect or disable remote access Manual, Disabled 1.1.0

Wireless Access

ID: FedRAMP High AC-18 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

Authentication And Encryption

ID: FedRAMP High AC-18 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

Access Control For Mobile Devices

ID: FedRAMP High AC-19 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0

Full Device / Container-Based Encryption

ID: FedRAMP High AC-19 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0

Use Of External Information Systems

ID: FedRAMP High AC-20 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0

Limits On Authorized Use

ID: FedRAMP High AC-20 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Portable Storage Devices

ID: FedRAMP High AC-20 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Information Sharing

ID: FedRAMP High AC-21 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate information sharing decisions CMA_0028 - Automate information sharing decisions Manual, Disabled 1.1.0
Facilitate information sharing CMA_0284 - Facilitate information sharing Manual, Disabled 1.1.0

Publicly Accessible Content

ID: FedRAMP High AC-22 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Designate authorized personnel to post publicly accessible information CMA_C1083 - Designate authorized personnel to post publicly accessible information Manual, Disabled 1.1.0
Review content prior to posting publicly accessible information CMA_C1085 - Review content prior to posting publicly accessible information Manual, Disabled 1.1.0
Review publicly accessible content for nonpublic information CMA_C1086 - Review publicly accessible content for nonpublic information Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0

Awareness And Training

Security Awareness And Training Policy Andprocedures

ID: FedRAMP High AT-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

Security Awareness Training

ID: FedRAMP High AT-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

Insider Threat

ID: FedRAMP High AT-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0

Role-Based Security Training

ID: FedRAMP High AT-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0

Practical Exercises

ID: FedRAMP High AT-3 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Manual, Disabled 1.1.0

Suspicious Communications And Anomalous System Behavior

ID: FedRAMP High AT-3 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Manual, Disabled 1.1.0

Security Training Records

ID: FedRAMP High AT-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0

Audit And Accountability

Audit And Accountability Policy And Procedures

ID: FedRAMP High AU-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

Audit Events

ID: FedRAMP High AU-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0

Reviews And Updates

ID: FedRAMP High AU-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Manual, Disabled 1.1.0

Content Of Audit Records

ID: FedRAMP High AU-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0

Additional Audit Information

ID: FedRAMP High AU-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1

Audit Storage Capacity

ID: FedRAMP High AU-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0

Response To Audit Processing Failures

ID: FedRAMP High AU-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0

Real-Time Alerts

ID: FedRAMP High AU-5 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide real-time alerts for audit event failures CMA_C1114 - Provide real-time alerts for audit event failures Manual, Disabled 1.1.0

Audit Review, Analysis, And Reporting

ID: FedRAMP High AU-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 6.0.0-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Process Integration

ID: FedRAMP High AU-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Correlate Audit Repositories

ID: FedRAMP High AU-6 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0

Central Review And Analysis

ID: FedRAMP High AU-6 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 6.0.0-preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.3
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.1.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.1.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Integration / Scanning And Monitoring Capabilities

ID: FedRAMP High AU-6 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 6.0.0-preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.3
Integrate Audit record analysis CMA_C1120 - Integrate Audit record analysis Manual, Disabled 1.1.0
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.1.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.1.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Permitted Actions

ID: FedRAMP High AU-6 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Specify permitted actions associated with customer audit information CMA_C1122 - Specify permitted actions associated with customer audit information Manual, Disabled 1.1.0

Audit Level Adjustment

ID: FedRAMP High AU-6 (10) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adjust level of audit review, analysis, and reporting CMA_C1123 - Adjust level of audit review, analysis, and reporting Manual, Disabled 1.1.0

Audit Reduction And Report Generation

ID: FedRAMP High AU-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure audit records are not altered CMA_C1125 - Ensure audit records are not altered Manual, Disabled 1.1.0
Provide audit review, analysis, and reporting capability CMA_C1124 - Provide audit review, analysis, and reporting capability Manual, Disabled 1.1.0

Automatic Processing

ID: FedRAMP High AU-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Manual, Disabled 1.1.0

Time Stamps

ID: FedRAMP High AU-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Use system clocks for audit records CMA_0535 - Use system clocks for audit records Manual, Disabled 1.1.0

Synchronization With Authoritative Time Source

ID: FedRAMP High AU-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Use system clocks for audit records CMA_0535 - Use system clocks for audit records Manual, Disabled 1.1.0

Protection Of Audit Information

ID: FedRAMP High AU-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0

Audit Backup On Separate Physical Systems / Components

ID: FedRAMP High AU-9 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0

Cryptographic Protection

ID: FedRAMP High AU-9 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Maintain integrity of audit system CMA_C1133 - Maintain integrity of audit system Manual, Disabled 1.1.0

Access By Subset Of Privileged Users

ID: FedRAMP High AU-9 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0

Non-Repudiation

ID: FedRAMP High AU-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0

Audit Record Retention

ID: FedRAMP High AU-11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 3.0.0

Audit Generation

ID: FedRAMP High AU-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 6.0.0-preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.3
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.1.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.1.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

System-Wide / Time-Correlated Audit Trail

ID: FedRAMP High AU-12 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 6.0.0-preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Compile Audit records into system wide audit CMA_C1140 - Compile Audit records into system wide audit Manual, Disabled 1.1.0
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.3
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.1.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.1.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Changes By Authorized Individuals

ID: FedRAMP High AU-12 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide the capability to extend or limit auditing on customer-deployed resources CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources Manual, Disabled 1.1.0

Security Assessment And Authorization

Security Assessment And Authorization Policy And Procedures

ID: FedRAMP High CA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0

Security Assessments

ID: FedRAMP High CA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0

Independent Assessors

ID: FedRAMP High CA-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Manual, Disabled 1.1.0

Specialized Assessments

ID: FedRAMP High CA-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0

External Organizations

ID: FedRAMP High CA-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept assessment results CMA_C1150 - Accept assessment results Manual, Disabled 1.1.0

System Interconnections

ID: FedRAMP High CA-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0

Unclassified Non-National Security System Connections

ID: FedRAMP High CA-3 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0

Restrictions On External System Connections

ID: FedRAMP High CA-3 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Manual, Disabled 1.1.0

Plan Of Action And Milestones

ID: FedRAMP High CA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

Security Authorization

ID: FedRAMP High CA-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign an authorizing official (AO) CMA_C1158 - Assign an authorizing official (AO) Manual, Disabled 1.1.0
Ensure resources are authorized CMA_C1159 - Ensure resources are authorized Manual, Disabled 1.1.0
Update the security authorization CMA_C1160 - Update the security authorization Manual, Disabled 1.1.0

Continuous Monitoring

ID: FedRAMP High CA-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

Independent Assessment

ID: FedRAMP High CA-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent assessors for continuous monitoring CMA_C1168 - Employ independent assessors for continuous monitoring Manual, Disabled 1.1.0

Trend Analyses

ID: FedRAMP High CA-7 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Analyse data obtained from continuous monitoring CMA_C1169 - Analyse data obtained from continuous monitoring Manual, Disabled 1.1.0

Independent Penetration Agent Or Team

ID: FedRAMP High CA-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0

Internal System Connections

ID: FedRAMP High CA-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0

Configuration Management

Configuration Management Policy And Procedures

ID: FedRAMP High CM-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0

Baseline Configuration

ID: FedRAMP High CM-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0

Automation Support For Accuracy / Currency

ID: FedRAMP High CM-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0

Retention Of Previous Configurations

ID: FedRAMP High CM-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Manual, Disabled 1.1.0

Configure Systems, Components, Or Devices For High-Risk Areas

ID: FedRAMP High CM-2 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0

Configuration Change Control

ID: FedRAMP High CM-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Automated Document / Notification / Prohibition Of Changes

ID: FedRAMP High CM-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0

Test / Validate / Document Changes

ID: FedRAMP High CM-3 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Security Representative

ID: FedRAMP High CM-3 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign information security representative to change control CMA_C1198 - Assign information security representative to change control Manual, Disabled 1.1.0

Cryptography Management

ID: FedRAMP High CM-3 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Manual, Disabled 1.1.0

Security Impact Analysis

ID: FedRAMP High CM-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Separate Test Environments

ID: FedRAMP High CM-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Access Restrictions For Change

ID: FedRAMP High CM-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0

Automated Access Enforcement / Auditing

ID: FedRAMP High CM-5 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce and audit access restrictions CMA_C1203 - Enforce and audit access restrictions Manual, Disabled 1.1.0

Review System Changes

ID: FedRAMP High CM-5 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Manual, Disabled 1.1.0

Signed Components

ID: FedRAMP High CM-5 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Restrict unauthorized software and firmware installation CMA_C1205 - Restrict unauthorized software and firmware installation Manual, Disabled 1.1.0

Limit Production / Operational Privileges

ID: FedRAMP High CM-5 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0

Configuration Settings

ID: FedRAMP High CM-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. AuditIfNotExists, Disabled 1.0.0
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit, Disabled 1.0.2
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Function apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. AuditIfNotExists, Disabled 1.0.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 2.0.0
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 9.2.0
Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 5.1.0
Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.1.1
Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.1.0
Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 9.2.0
Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.2.0
Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.1.1
Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.1.1
Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.1.0
Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 8.1.0
Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 9.1.0
Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.1.0
Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 2.2.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 2.0.0

Automated Central Management / Application / Verification

ID: FedRAMP High CM-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Least Functionality

ID: FedRAMP High CM-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3

Prevent Program Execution

ID: FedRAMP High CM-7 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0

Authorized Software / Whitelisting

ID: FedRAMP High CM-7 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0

Information System Component Inventory

ID: FedRAMP High CM-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

Updates During Installations / Removals

ID: FedRAMP High CM-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

Automated Unauthorized Component Detection

ID: FedRAMP High CM-8 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Accountability Information

ID: FedRAMP High CM-8 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0

Configuration Management Plan

ID: FedRAMP High CM-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0

Software Usage Restrictions

ID: FedRAMP High CM-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Manual, Disabled 1.1.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0

Open Source Software

ID: FedRAMP High CM-10 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Restrict use of open source software CMA_C1237 - Restrict use of open source software Manual, Disabled 1.1.0

User-Installed Software

ID: FedRAMP High CM-11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0

Contingency Planning

Contingency Planning Policy And Procedures

ID: FedRAMP High CP-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0

Contingency Plan

ID: FedRAMP High CP-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

ID: FedRAMP High CP-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0

Capacity Planning

ID: FedRAMP High CP-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct capacity planning CMA_C1252 - Conduct capacity planning Manual, Disabled 1.1.0

Resume Essential Missions / Business Functions

ID: FedRAMP High CP-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0

Resume All Missions / Business Functions

ID: FedRAMP High CP-2 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0

Continue Essential Missions / Business Functions

ID: FedRAMP High CP-2 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0

Identify Critical Assets

ID: FedRAMP High CP-2 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform a business impact assessment and application criticality assessment CMA_0386 - Perform a business impact assessment and application criticality assessment Manual, Disabled 1.1.0

Contingency Training

ID: FedRAMP High CP-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0

Simulated Events

ID: FedRAMP High CP-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Manual, Disabled 1.1.0

Contingency Plan Testing

ID: FedRAMP High CP-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Manual, Disabled 1.1.0
Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Manual, Disabled 1.1.0
Test the business continuity and disaster recovery plan CMA_0509 - Test the business continuity and disaster recovery plan Manual, Disabled 1.1.0

ID: FedRAMP High CP-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0

Alternate Processing Site

ID: FedRAMP High CP-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Evaluate alternate processing site capabilities CMA_C1266 - Evaluate alternate processing site capabilities Manual, Disabled 1.1.0
Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Manual, Disabled 1.1.0

Alternate Storage Site

ID: FedRAMP High CP-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant storage should be enabled for Storage Accounts Use geo-redundancy to create highly available applications Audit, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0

Separation From Primary Site

ID: FedRAMP High CP-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant storage should be enabled for Storage Accounts Use geo-redundancy to create highly available applications Audit, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0

Recovery Time / Point Objectives

ID: FedRAMP High CP-6 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish alternate storage site that facilitates recovery operations CMA_C1270 - Establish alternate storage site that facilitates recovery operations Manual, Disabled 1.1.0

Accessibility

ID: FedRAMP High CP-6 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0

Alternate Processing Site

ID: FedRAMP High CP-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0

Separation From Primary Site

ID: FedRAMP High CP-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0

Accessibility

ID: FedRAMP High CP-7 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0

Priority Of Service

ID: FedRAMP High CP-7 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0

Preparation For Use

ID: FedRAMP High CP-7 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Prepare alternate processing site for use as operational site CMA_C1278 - Prepare alternate processing site for use as operational site Manual, Disabled 1.1.0

Priority Of Service Provisions

ID: FedRAMP High CP-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0

Information System Backup

ID: FedRAMP High CP-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Audit, Deny, Disabled 2.1.0
Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Audit, Deny, Disabled 3.0.0

Separate Storage For Critical Information

ID: FedRAMP High CP-9 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0

Transfer To Alternate Storage Site

ID: FedRAMP High CP-9 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0

Information System Recovery And Reconstitution

ID: FedRAMP High CP-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Manual, Disabled 1.1.1

Transaction Recovery

ID: FedRAMP High CP-10 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Manual, Disabled 1.1.0

Restore Within Time Period

ID: FedRAMP High CP-10 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Restore resources to operational state CMA_C1297 - Restore resources to operational state Manual, Disabled 1.1.1

Identification And Authentication

Identification And Authentication Policy And Procedures

ID: FedRAMP High IA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0

Identification And Authentication (Organizational Users)

ID: FedRAMP High IA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Audit, Deny, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

Network Access To Privileged Accounts

ID: FedRAMP High IA-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0

Network Access To Non-Privileged Accounts

ID: FedRAMP High IA-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0

Local Access To Privileged Accounts

ID: FedRAMP High IA-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0

Group Authentication

ID: FedRAMP High IA-2 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require use of individual authenticators CMA_C1305 - Require use of individual authenticators Manual, Disabled 1.1.0

Remote Access - Separate Device

ID: FedRAMP High IA-2 (11) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0

Acceptance Of Piv Credentials

ID: FedRAMP High IA-2 (12) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

Identifier Management

ID: FedRAMP High IA-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Assign system identifiers CMA_0018 - Assign system identifiers Manual, Disabled 1.1.0
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Audit, Deny, Disabled 1.1.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Prevent identifier reuse for the defined time period CMA_C1314 - Prevent identifier reuse for the defined time period Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Identify User Status

ID: FedRAMP High IA-4 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify status of individual users CMA_C1316 - Identify status of individual users Manual, Disabled 1.1.0

Authenticator Management

ID: FedRAMP High IA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 3.1.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 2.0.0
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. AuditIfNotExists, Disabled 3.2.0
Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. audit, Audit, deny, Deny, disabled, Disabled 2.2.1
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.2
Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Audit, Deny, Disabled 1.0.2
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Password-Based Authentication

ID: FedRAMP High IA-5 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 3.1.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the minimum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 2.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Pki-Based Authentication

ID: FedRAMP High IA-5 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Bind authenticators and identities dynamically CMA_0035 - Bind authenticators and identities dynamically Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish parameters for searching secret authenticators and verifiers CMA_0274 - Establish parameters for searching secret authenticators and verifiers Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Map authenticated identities to individuals CMA_0372 - Map authenticated identities to individuals Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

In-Person Or Trusted Third-Party Registration

ID: FedRAMP High IA-5 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Distribute authenticators CMA_0184 - Distribute authenticators Manual, Disabled 1.1.0

Automated Support For Password Strength Determination

ID: FedRAMP High IA-5 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0

Protection Of Authenticators

ID: FedRAMP High IA-5 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure authorized users protect provided authenticators CMA_C1339 - Ensure authorized users protect provided authenticators Manual, Disabled 1.1.0

No Embedded Unencrypted Static Authenticators

ID: FedRAMP High IA-5 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0

Hardware Token-Based Authentication

ID: FedRAMP High IA-5 (11) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

Expiration Of Cached Authenticators

ID: FedRAMP High IA-5 (13) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce expiration of cached authenticators CMA_C1343 - Enforce expiration of cached authenticators Manual, Disabled 1.1.0

Authenticator Feedback

ID: FedRAMP High IA-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0

Cryptographic Module Authentication

ID: FedRAMP High IA-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0

Identification And Authentication (Non- Organizational Users)

ID: FedRAMP High IA-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0

Acceptance Of Piv Credentials From Other Agencies

ID: FedRAMP High IA-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept PIV credentials CMA_C1347 - Accept PIV credentials Manual, Disabled 1.1.0

Acceptance Of Third-Party Credentials

ID: FedRAMP High IA-8 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accept only FICAM-approved third-party credentials CMA_C1348 - Accept only FICAM-approved third-party credentials Manual, Disabled 1.1.0

Use Of Ficam-Approved Products

ID: FedRAMP High IA-8 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ FICAM-approved resources to accept third-party credentials CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials Manual, Disabled 1.1.0

Use Of Ficam-Issued Profiles

ID: FedRAMP High IA-8 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conform to FICAM-issued profiles CMA_C1350 - Conform to FICAM-issued profiles Manual, Disabled 1.1.0

Incident Response

Incident Response Policy And Procedures

ID: FedRAMP High IR-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0

Incident Response Training

ID: FedRAMP High IR-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0

Simulated Events

ID: FedRAMP High IR-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Manual, Disabled 1.1.0

Automated Training Environments

ID: FedRAMP High IR-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0

Incident Response Testing

ID: FedRAMP High IR-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

ID: FedRAMP High IR-3 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

Incident Handling

ID: FedRAMP High IR-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Automated Incident Handling Processes

ID: FedRAMP High IR-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0

Dynamic Reconfiguration

ID: FedRAMP High IR-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Include dynamic reconfig of customer deployed resources CMA_C1364 - Include dynamic reconfig of customer deployed resources Manual, Disabled 1.1.0

Continuity Of Operations

ID: FedRAMP High IR-4 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Manual, Disabled 1.1.0

Information Correlation

ID: FedRAMP High IR-4 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0

Insider Threats - Specific Capabilities

ID: FedRAMP High IR-4 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Manual, Disabled 1.1.0

Correlation With External Organizations

ID: FedRAMP High IR-4 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate with external organizations to achieve cross org perspective CMA_C1368 - Coordinate with external organizations to achieve cross org perspective Manual, Disabled 1.1.0

Incident Monitoring

ID: FedRAMP High IR-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Automated Reporting

ID: FedRAMP High IR-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0

Incident Response Assistance

ID: FedRAMP High IR-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0

Automation Support For Availability Of Information / Support

ID: FedRAMP High IR-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Coordination With External Providers

ID: FedRAMP High IR-7 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Manual, Disabled 1.1.0
Identify incident response personnel CMA_0301 - Identify incident response personnel Manual, Disabled 1.1.0

Incident Response Plan

ID: FedRAMP High IR-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0

Information Spillage Response

ID: FedRAMP High IR-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify contaminated systems and components CMA_0300 - Identify contaminated systems and components Manual, Disabled 1.1.0
Identify spilled information CMA_0303 - Identify spilled information Manual, Disabled 1.1.0
Isolate information spills CMA_0346 - Isolate information spills Manual, Disabled 1.1.0

Responsible Personnel

ID: FedRAMP High IR-9 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify incident response personnel CMA_0301 - Identify incident response personnel Manual, Disabled 1.1.0

Training

ID: FedRAMP High IR-9 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0

Post-Spill Operations

ID: FedRAMP High IR-9 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop spillage response procedures CMA_0162 - Develop spillage response procedures Manual, Disabled 1.1.0

Exposure To Unauthorized Personnel

ID: FedRAMP High IR-9 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0

Maintenance

System Maintenance Policy And Procedures

ID: FedRAMP High MA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0

Controlled Maintenance

ID: FedRAMP High MA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

Automated Maintenance Activities

ID: FedRAMP High MA-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Manual, Disabled 1.1.0
Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Manual, Disabled 1.1.0

Maintenance Tools

ID: FedRAMP High MA-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

Inspect Tools

ID: FedRAMP High MA-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

Inspect Media

ID: FedRAMP High MA-3 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

Prevent Unauthorized Removal

ID: FedRAMP High MA-3 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

Nonlocal Maintenance

ID: FedRAMP High MA-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

Document Nonlocal Maintenance

ID: FedRAMP High MA-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0

Comparable Security / Sanitization

ID: FedRAMP High MA-4 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform all non-local maintenance CMA_C1417 - Perform all non-local maintenance Manual, Disabled 1.1.0

Cryptographic Protection

ID: FedRAMP High MA-4 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement cryptographic mechanisms CMA_C1419 - Implement cryptographic mechanisms Manual, Disabled 1.1.0

Maintenance Personnel

ID: FedRAMP High MA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Manual, Disabled 1.1.0
Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Manual, Disabled 1.1.0
Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Manual, Disabled 1.1.0

Individuals Without Appropriate Access

ID: FedRAMP High MA-5 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Timely Maintenance

ID: FedRAMP High MA-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide timely maintenance support CMA_C1425 - Provide timely maintenance support Manual, Disabled 1.1.0

Media Protection

Media Protection Policy And Procedures

ID: FedRAMP High MP-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0

Media Access

ID: FedRAMP High MP-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Media Marking

ID: FedRAMP High MP-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Media Storage

ID: FedRAMP High MP-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Media Transport

ID: FedRAMP High MP-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

Cryptographic Protection

ID: FedRAMP High MP-5 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

Media Sanitization

ID: FedRAMP High MP-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Review / Approve / Track / Document / Verify

ID: FedRAMP High MP-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Equipment Testing

ID: FedRAMP High MP-6 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Media Use

ID: FedRAMP High MP-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

Prohibit Use Without Owner

ID: FedRAMP High MP-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0

Physical And Environmental Protection

Physical And Environmental Protection Policy And Procedures

ID: FedRAMP High PE-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Physical Access Authorizations

ID: FedRAMP High PE-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

Physical Access Control

ID: FedRAMP High PE-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Access Control For Transmission Medium

ID: FedRAMP High PE-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Access Control For Output Devices

ID: FedRAMP High PE-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0

Intrusion Alarms / Surveillance Equipment

ID: FedRAMP High PE-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0

Visitor Access Records

ID: FedRAMP High PE-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Emergency Lighting

ID: FedRAMP High PE-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic emergency lighting CMA_0209 - Employ automatic emergency lighting Manual, Disabled 1.1.0

Fire Protection

ID: FedRAMP High PE-13 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Detection Devices / Systems

ID: FedRAMP High PE-13 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

Suppression Devices / Systems

ID: FedRAMP High PE-13 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Automatic Fire Suppression

ID: FedRAMP High PE-13 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Temperature And Humidity Controls

ID: FedRAMP High PE-14 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Monitoring With Alarms / Notifications

ID: FedRAMP High PE-14 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0

Water Damage Protection

ID: FedRAMP High PE-15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Delivery And Removal

ID: FedRAMP High PE-16 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

Alternate Work Site

ID: FedRAMP High PE-17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0

Location Of Information System Components

ID: FedRAMP High PE-18 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Planning

Security Planning Policy And Procedures

ID: FedRAMP High PL-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0

System Security Plan

ID: FedRAMP High PL-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0

Plan / Coordinate With Other Organizational Entities

ID: FedRAMP High PL-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0

Rules Of Behavior

ID: FedRAMP High PL-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

Social Media And Networking Restrictions

ID: FedRAMP High PL-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0

Information Security Architecture

ID: FedRAMP High PL-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0

Personnel Security

Personnel Security Policy And Procedures

ID: FedRAMP High PS-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0

Position Risk Designation

ID: FedRAMP High PS-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign risk designations CMA_0016 - Assign risk designations Manual, Disabled 1.1.0

Personnel Screening

ID: FedRAMP High PS-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0

Information With Special Protection Measures

ID: FedRAMP High PS-3 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

Personnel Termination

ID: FedRAMP High PS-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Automated Notification

ID: FedRAMP High PS-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate notification of employee termination CMA_C1521 - Automate notification of employee termination Manual, Disabled 1.1.0

Personnel Transfer

ID: FedRAMP High PS-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0

Access Agreements

ID: FedRAMP High PS-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0

Third-Party Personnel Security

ID: FedRAMP High PS-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0

Personnel Sanctions

ID: FedRAMP High PS-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0

Risk Assessment

Risk Assessment Policy And Procedures

ID: FedRAMP High RA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0

Security Categorization

ID: FedRAMP High RA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Categorize information CMA_0052 - Categorize information Manual, Disabled 1.1.0
Develop business classification schemes CMA_0155 - Develop business classification schemes Manual, Disabled 1.1.0
Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

Risk Assessment

ID: FedRAMP High RA-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0

Vulnerability Scanning

ID: FedRAMP High RA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure registry container images should have vulnerabilities resolved (powered by Qualys) Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. AuditIfNotExists, Disabled 2.0.2
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Update Tool Capability

ID: FedRAMP High RA-5 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Update By Frequency / Prior To New Scan / When Identified

ID: FedRAMP High RA-5 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Breadth / Depth Of Coverage

ID: FedRAMP High RA-5 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Discoverable Information

ID: FedRAMP High RA-5 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Take action in response to customer information CMA_C1554 - Take action in response to customer information Manual, Disabled 1.1.0

Privileged Access

ID: FedRAMP High RA-5 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0

Automated Trend Analyses

ID: FedRAMP High RA-5 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Review Historic Audit Logs

ID: FedRAMP High RA-5 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Correlate Scanning Information

ID: FedRAMP High RA-5 (10) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1

System And Services Acquisition

System And Services Acquisition Policy And Procedures

ID: FedRAMP High SA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0

Allocation Of Resources

ID: FedRAMP High SA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Manual, Disabled 1.1.0
Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Manual, Disabled 1.1.0
Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0

System Development Life Cycle

ID: FedRAMP High SA-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0

Acquisition Process

ID: FedRAMP High SA-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

Functional Properties Of Security Controls

ID: FedRAMP High SA-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Obtain functional properties of security controls CMA_C1575 - Obtain functional properties of security controls Manual, Disabled 1.1.0

Design / Implementation Information For Security Controls

ID: FedRAMP High SA-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Manual, Disabled 1.1.1

Continuous Monitoring Plan

ID: FedRAMP High SA-4 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Obtain continuous monitoring plan for security controls CMA_C1577 - Obtain continuous monitoring plan for security controls Manual, Disabled 1.1.0

Functions / Ports / Protocols / Services In Use

ID: FedRAMP High SA-4 (9) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Manual, Disabled 1.1.0

Use Of Approved Piv Products

ID: FedRAMP High SA-4 (10) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ FIPS 201-approved technology for PIV CMA_C1579 - Employ FIPS 201-approved technology for PIV Manual, Disabled 1.1.0

Information System Documentation

ID: FedRAMP High SA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Distribute information system documentation CMA_C1584 - Distribute information system documentation Manual, Disabled 1.1.0
Document customer-defined actions CMA_C1582 - Document customer-defined actions Manual, Disabled 1.1.0
Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Manual, Disabled 1.1.0
Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Manual, Disabled 1.1.0
Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Manual, Disabled 1.1.0

External Information System Services

ID: FedRAMP High SA-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

Risk Assessments / Organizational Approvals

ID: FedRAMP High SA-9 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Obtain approvals for acquisitions and outsourcing CMA_C1590 - Obtain approvals for acquisitions and outsourcing Manual, Disabled 1.1.0

Identification Of Functions / Ports / Protocols / Services

ID: FedRAMP High SA-9 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0

Consistent Interests Of Consumers And Providers

ID: FedRAMP High SA-9 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0

Processing, Storage, And Service Location

ID: FedRAMP High SA-9 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Restrict location of information processing, storage and services CMA_C1593 - Restrict location of information processing, storage and services Manual, Disabled 1.1.0

Developer Configuration Management

ID: FedRAMP High SA-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

Software / Firmware Integrity Verification

ID: FedRAMP High SA-10 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

Developer Security Testing And Evaluation

ID: FedRAMP High SA-11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0

Supply Chain Protection

ID: FedRAMP High SA-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0

Development Process, Standards, And Tools

ID: FedRAMP High SA-15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0

Developer-Provided Training

ID: FedRAMP High SA-16 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require developers to provide training CMA_C1611 - Require developers to provide training Manual, Disabled 1.1.0

Developer Security Architecture And Design

ID: FedRAMP High SA-17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0
Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Manual, Disabled 1.1.0
Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Manual, Disabled 1.1.0

System And Communications Protection

System And Communications Protection Policy And Procedures

ID: FedRAMP High SC-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0

Application Partitioning

ID: FedRAMP High SC-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

Security Function Isolation

ID: FedRAMP High SC-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 2.0.0

Denial Of Service Protection

ID: FedRAMP High SC-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure DDoS Protection should be enabled DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.1
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
Develop and document a DDoS response plan CMA_0147 - Develop and document a DDoS response plan Manual, Disabled 1.1.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0

Resource Availability

ID: FedRAMP High SC-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Govern the allocation of resources CMA_0293 - Govern the allocation of resources Manual, Disabled 1.1.0
Manage availability and capacity CMA_0356 - Manage availability and capacity Manual, Disabled 1.1.0
Secure commitment from leadership CMA_0489 - Secure commitment from leadership Manual, Disabled 1.1.0

Boundary Protection

ID: FedRAMP High SC-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
[Preview]: Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. audit, Audit, deny, Deny, disabled, Disabled 3.1.0-preview
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Deny, Disabled 1.0.2
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.1
Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Audit, Deny, Disabled 3.1.0
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 3.2.1
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. [parameters('audit_effect')] 1.2.1
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Disabled 1.0.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Disabled 1.0.0
Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 3.0.1
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Audit, Deny, Disabled 2.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.1
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0

Access Points

ID: FedRAMP High SC-7 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
[Preview]: Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. audit, Audit, deny, Deny, disabled, Disabled 3.1.0-preview
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Deny, Disabled 1.0.2
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.1
Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Audit, Deny, Disabled 3.1.0
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 3.2.1
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. [parameters('audit_effect')] 1.2.1
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Disabled 1.0.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Disabled 1.0.0
Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 3.0.1
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Audit, Deny, Disabled 2.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.1
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0

External Telecommunications Services

ID: FedRAMP High SC-7 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

Prevent Split Tunneling For Remote Devices

ID: FedRAMP High SC-7 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0

Route Traffic To Authenticated Proxy Servers

ID: FedRAMP High SC-7 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Manual, Disabled 1.1.0

Host-Based Protection

ID: FedRAMP High SC-7 (12) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0

Isolation Of Security Tools / Mechanisms / Support Components

ID: FedRAMP High SC-7 (13) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Manual, Disabled 1.1.0

Fail Secure

ID: FedRAMP High SC-7 (18) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage transfers between standby and active system components CMA_0371 - Manage transfers between standby and active system components Manual, Disabled 1.1.0

Dynamic Isolation / Segregation

ID: FedRAMP High SC-7 (20) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure system capable of dynamic isolation of resources CMA_C1638 - Ensure system capable of dynamic isolation of resources Manual, Disabled 1.1.0

Isolation Of Information System Components

ID: FedRAMP High SC-7 (21) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0

Transmission Confidentiality And Integrity

ID: FedRAMP High SC-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Audit, Deny, Disabled 1.0.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc audit, Audit, deny, Deny, disabled, Disabled 8.1.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. AuditIfNotExists, Disabled 4.1.1

Cryptographic Or Alternate Physical Protection

ID: FedRAMP High SC-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Audit, Deny, Disabled 1.0.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc audit, Audit, deny, Deny, disabled, Disabled 8.1.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. AuditIfNotExists, Disabled 4.1.1

Network Disconnect

ID: FedRAMP High SC-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0

Cryptographic Key Establishment And Management

ID: FedRAMP High SC-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Audit, Deny, Disabled 1.0.0-preview
[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. Audit, Deny, Disabled 1.0.0-preview
Azure API for FHIR should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. audit, Audit, disabled, Disabled 1.1.0
Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. Audit, Deny, Disabled 1.0.0
Azure Batch account should use customer-managed keys to encrypt data Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Audit, Deny, Disabled 1.0.1
Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled, Deny 1.0.0
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. Audit, Deny, Disabled 1.0.0
Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Audit, Deny, Disabled 1.0.0
Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Audit, Deny, Disabled 1.0.1
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. Audit, Deny, Disabled 1.0.1
Azure HDInsight clusters should use encryption at host to encrypt data at rest Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Audit, Deny, Disabled 1.0.0
Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Audit, Deny, Disabled 1.0.3
Azure Monitor Logs clusters should be encrypted with customer-managed key Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Stream Analytics jobs should use customer-managed keys to encrypt data Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. Audit, Deny, Disabled 1.0.0
Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1
Cognitive Services accounts should enable data encryption with a customer-managed key Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Audit, Deny, Disabled 2.1.0
Container registries should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Audit, Deny, Disabled 1.1.2
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Event Hub namespaces should use a customer-managed key for encryption Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. Audit, Disabled 1.0.0
HPC Cache accounts should use customer-managed key for encryption Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Audit, Disabled, Deny 2.0.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Logic Apps Integration Service Environment should be encrypted with customer-managed keys Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Audit, Deny, Disabled 1.0.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Audit, Deny, Disabled 1.0.0
MySQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. AuditIfNotExists, Disabled 1.0.4
OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Audit, Deny, Disabled 3.0.0
PostgreSQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. AuditIfNotExists, Disabled 1.0.4
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Service Bus Premium namespaces should use a customer-managed key for encryption Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. Audit, Disabled 1.0.0
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.0
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.1
Storage account encryption scopes should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. Audit, Deny, Disabled 1.0.0
Storage accounts should use customer-managed key for encryption Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled 1.0.3

Availability

ID: FedRAMP High SC-12 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Maintain availability of information CMA_C1644 - Maintain availability of information Manual, Disabled 1.1.0

Symmetric Keys

ID: FedRAMP High SC-12 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0

Asymmetric Keys

ID: FedRAMP High SC-12 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0

Cryptographic Protection

ID: FedRAMP High SC-13 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0

Collaborative Computing Devices

ID: FedRAMP High SC-15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Manual, Disabled 1.1.1
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0

Public Key Infrastructure Certificates

ID: FedRAMP High SC-17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0

Mobile Code

ID: FedRAMP High SC-18 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Manual, Disabled 1.1.0
Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Manual, Disabled 1.1.0
Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Manual, Disabled 1.1.0

Voice Over Internet Protocol

ID: FedRAMP High SC-19 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Establish voip usage restrictions CMA_0280 - Establish voip usage restrictions Manual, Disabled 1.1.0

Secure Name / Address Resolution Service (Authoritative Source)

ID: FedRAMP High SC-20 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0

Secure Name / Address Resolution Service (Recursive Or Caching Resolver)

ID: FedRAMP High SC-21 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

Architecture And Provisioning For Name / Address Resolution Service

ID: FedRAMP High SC-22 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0

Session Authenticity

ID: FedRAMP High SC-23 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Enforce random unique session identifiers CMA_0247 - Enforce random unique session identifiers Manual, Disabled 1.1.0

Invalidate Session Identifiers At Logout

ID: FedRAMP High SC-23 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Invalidate session identifiers at logout CMA_C1661 - Invalidate session identifiers at logout Manual, Disabled 1.1.0

Fail In Known State

ID: FedRAMP High SC-24 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0

Protection Of Information At Rest

ID: FedRAMP High SC-28 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Audit, Disabled 1.0.1
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Audit, Deny, Disabled 1.0.0
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Audit, Deny, Disabled 2.0.0
Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 2.0.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Infrastructure encryption should be enabled for Azure Database for MySQL servers Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. Audit, Deny, Disabled 1.0.0
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Audit, Deny, Disabled 1.0.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Audit, Deny, Disabled 1.0.0
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Audit, Deny, Disabled 1.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison AuditIfNotExists, Disabled 2.0.3

Cryptographic Protection

ID: FedRAMP High SC-28 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Audit, Disabled 1.0.1
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Audit, Deny, Disabled 1.0.0
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Audit, Deny, Disabled 2.0.0
Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 2.0.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Infrastructure encryption should be enabled for Azure Database for MySQL servers Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. Audit, Deny, Disabled 1.0.0
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Audit, Deny, Disabled 1.0.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Audit, Deny, Disabled 1.0.0
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Audit, Deny, Disabled 1.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison AuditIfNotExists, Disabled 2.0.3

Process Isolation

ID: FedRAMP High SC-39 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Manual, Disabled 1.1.0

System And Information Integrity

System And Information Integrity Policy And Procedures

ID: FedRAMP High SI-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0

Flaw Remediation

ID: FedRAMP High SI-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 4.0.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 4.0.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit, Disabled 1.0.2
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists, Disabled 3.0.0
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 4.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0

Automated Flaw Remediation Status

ID: FedRAMP High SI-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate flaw remediation CMA_0027 - Automate flaw remediation Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Time To Remediate Flaws / Benchmarks For Corrective Actions

ID: FedRAMP High SI-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Manual, Disabled 1.1.0
Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Manual, Disabled 1.1.0

Malicious Code Protection

ID: FedRAMP High SI-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 2.0.0

Central Management

ID: FedRAMP High SI-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 2.0.0

Automatic Updates

ID: FedRAMP High SI-3 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Nonsignature-Based Detection

ID: FedRAMP High SI-3 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Information System Monitoring

ID: FedRAMP High SI-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 6.0.0-preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.3
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Automated Tools For Real-Time Analysis

ID: FedRAMP High SI-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0

Inbound And Outbound Communications Traffic

ID: FedRAMP High SI-4 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

System-Generated Alerts

ID: FedRAMP High SI-4 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Wireless Intrusion Detection

ID: FedRAMP High SI-4 (14) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document wireless access security controls CMA_C1695 - Document wireless access security controls Manual, Disabled 1.1.0

Unauthorized Network Services

ID: FedRAMP High SI-4 (22) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0

Indicators Of Compromise

ID: FedRAMP High SI-4 (24) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Manual, Disabled 1.1.0

Security Alerts, Advisories, And Directives

ID: FedRAMP High SI-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Generate internal security alerts CMA_C1704 - Generate internal security alerts Manual, Disabled 1.1.0
Implement security directives CMA_C1706 - Implement security directives Manual, Disabled 1.1.0

Automated Alerts And Advisories

ID: FedRAMP High SI-5 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Use automated mechanisms for security alerts CMA_C1707 - Use automated mechanisms for security alerts Manual, Disabled 1.1.0

Security Function Verification

ID: FedRAMP High SI-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Manual, Disabled 1.1.0
Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Manual, Disabled 1.1.0
Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Manual, Disabled 1.1.0
Verify security functions CMA_C1708 - Verify security functions Manual, Disabled 1.1.0

Software, Firmware, And Information Integrity

ID: FedRAMP High SI-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

Integrity Checks

ID: FedRAMP High SI-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Automated Response To Integrity Violations

ID: FedRAMP High SI-7 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0

Binary Or Machine Executable Code

ID: FedRAMP High SI-7 (14) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Prohibit binary/machine-executable code CMA_C1717 - Prohibit binary/machine-executable code Manual, Disabled 1.1.0

Information Input Validation

ID: FedRAMP High SI-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0

Error Handling

ID: FedRAMP High SI-11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Generate error messages CMA_C1724 - Generate error messages Manual, Disabled 1.1.0
Reveal error messages CMA_C1725 - Reveal error messages Manual, Disabled 1.1.0

Information Handling And Retention

ID: FedRAMP High SI-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

Memory Protection

ID: FedRAMP High SI-16 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 2.0.0

Next steps

Additional articles about Azure Policy: