Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2. To understand Ownership, review the policy type and Shared responsibility in the cloud.
The following mappings are to the HIPAA HITRUST 9.2 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the HITRUST/HIPAA Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Privilege Management
The organization facilitates information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions.
ID: 1149.01c2System.9 - 01.c Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.4 |
Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply.
ID: 1154.01c3System.4 - 01.c Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
User Authentication for External Connections
Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use.
ID: 1117.01j1Organizational.23 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization.
ID: 1173.01j1Organizational.6 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
The organization protects wireless access to systems containing sensitive information by authenticating both users and devices.
ID: 1174.01j1Organizational.7 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations.
ID: 1176.01j2Organizational.5 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually.
ID: 1177.01j2Organizational.6 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
User Identification and Authentication
Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated.
ID: 11110.01q1Organizational.6 - 01.q Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else.
ID: 11208.01q1Organizational.8 - 01.q Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.
ID: 11210.01q2Organizational.10 - 01.q Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | auditIfNotExists | 2.0.0 |
Signed electronic records shall contain information associated with the signing in human-readable format.
ID: 11211.01q2Organizational.11 - 01.q Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | auditIfNotExists | 2.0.0 |
01 Information Protection Program
0101.00a1Organizational.123-00.a 0.01 Information Security Management Program
ID: 0101.00a1Organizational.123-00.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0102.00a2Organizational.123-00.a 0.01 Information Security Management Program
ID: 0102.00a2Organizational.123-00.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program
ID: 0103.00a3Organizational.1234567-00.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
0104.02a1Organizational.12-02.a 02.01 Prior to Employment
ID: 0104.02a1Organizational.12-02.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
0105.02a2Organizational.1-02.a 02.01 Prior to Employment
ID: 0105.02a2Organizational.1-02.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign risk designations | CMA_0016 - Assign risk designations | Manual, Disabled | 1.1.0 |
Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Manual, Disabled | 1.1.0 |
Implement personnel screening | CMA_0322 - Implement personnel screening | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Manual, Disabled | 1.1.0 |
0106.02a2Organizational.23-02.a 02.01 Prior to Employment
ID: 0106.02a2Organizational.23-02.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Manual, Disabled | 1.1.0 |
Implement personnel screening | CMA_0322 - Implement personnel screening | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Manual, Disabled | 1.1.0 |
0107.02d1Organizational.1-02.d 02.03 During Employment
ID: 0107.02d1Organizational.1-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
0108.02d1Organizational.23-02.d 02.03 During Employment
ID: 0108.02d1Organizational.23-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
Implement security testing, training, and monitoring plans | CMA_C1753 - Implement security testing, training, and monitoring plans | Manual, Disabled | 1.1.0 |
Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Require developers to provide training | CMA_C1611 - Require developers to provide training | Manual, Disabled | 1.1.0 |
Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
Review security testing, training, and monitoring plans | CMA_C1754 - Review security testing, training, and monitoring plans | Manual, Disabled | 1.1.0 |
0109.02d1Organizational.4-02.d 02.03 During Employment
ID: 0109.02d1Organizational.4-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
0110.02d2Organizational.1-02.d 02.03 During Employment
ID: 0110.02d2Organizational.1-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
0111.02d2Organizational.2-02.d 02.03 During Employment
ID: 0111.02d2Organizational.2-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
01110.05a1Organizational.5-05.a 05.01 Internal Organization
ID: 01110.05a1Organizational.5-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
01111.05a2Organizational.5-05.a 05.01 Internal Organization
ID: 01111.05a2Organizational.5-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
0112.02d2Organizational.3-02.d 02.03 During Employment
ID: 0112.02d2Organizational.3-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Enforce appropriate usage of all accounts | CMA_C1023 - Enforce appropriate usage of all accounts | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Manual, Disabled | 1.1.0 |
Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
0113.04a1Organizational.123-04.a 04.01 Information Security Policy
ID: 0113.04a1Organizational.123-04.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0114.04b1Organizational.1-04.b 04.01 Information Security Policy
ID: 0114.04b1Organizational.1-04.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0115.04b2Organizational.123-04.b 04.01 Information Security Policy
ID: 0115.04b2Organizational.123-04.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0116.04b3Organizational.1-04.b 04.01 Information Security Policy
ID: 0116.04b3Organizational.1-04.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
0117.05a1Organizational.1-05.a 05.01 Internal Organization
ID: 0117.05a1Organizational.1-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
0118.05a1Organizational.2-05.a 05.01 Internal Organization
ID: 0118.05a1Organizational.2-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0119.05a1Organizational.3-05.a 05.01 Internal Organization
ID: 0119.05a1Organizational.3-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
0120.05a1Organizational.4-05.a 05.01 Internal Organization
ID: 0120.05a1Organizational.4-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Manual, Disabled | 1.1.0 |
Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Manual, Disabled | 1.1.0 |
Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Manual, Disabled | 1.1.0 |
Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Manual, Disabled | 1.1.0 |
Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
0121.05a2Organizational.12-05.a 05.01 Internal Organization
ID: 0121.05a2Organizational.12-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
0122.05a2Organizational.3-05.a 05.01 Internal Organization
ID: 0122.05a2Organizational.3-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
0123.05a2Organizational.4-05.a 05.01 Internal Organization
ID: 0123.05a2Organizational.4-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Manual, Disabled | 1.1.0 |
0124.05a3Organizational.1-05.a 05.01 Internal Organization
ID: 0124.05a3Organizational.1-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
0125.05a3Organizational.2-05.a 05.01 Internal Organization
ID: 0125.05a3Organizational.2-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accept assessment results | CMA_C1150 - Accept assessment results | Manual, Disabled | 1.1.0 |
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
0135.02f1Organizational.56-02.f 02.03 During Employment
ID: 0135.02f1Organizational.56-02.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
0137.02a1Organizational.3-02.a 02.01 Prior to Employment
ID: 0137.02a1Organizational.3-02.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
0162.04b1Organizational.2-04.b 04.01 Information Security Policy
ID: 0162.04b1Organizational.2-04.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
0165.05a3Organizational.3-05.a 05.01 Internal Organization
ID: 0165.05a3Organizational.3-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
0177.05h1Organizational.12-05.h 05.01 Internal Organization
ID: 0177.05h1Organizational.12-05.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accept assessment results | CMA_C1150 - Accept assessment results | Manual, Disabled | 1.1.0 |
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
0178.05h1Organizational.3-05.h 05.01 Internal Organization
ID: 0178.05h1Organizational.3-05.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
0179.05h1Organizational.4-05.h 05.01 Internal Organization
ID: 0179.05h1Organizational.4-05.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Implement plans of action and milestones for security program process | CMA_C1737 - Implement plans of action and milestones for security program process | Manual, Disabled | 1.1.0 |
0180.05h2Organizational.1-05.h 05.01 Internal Organization
ID: 0180.05h2Organizational.1-05.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
02 Endpoint Protection
0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0201.09j1Organizational.124-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | deployIfNotExists | 1.1.0 |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Microsoft Antimalware for Azure should be configured to automatically update protection signatures | This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. | AuditIfNotExists, Disabled | 1.0.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0202.09j1Organizational.3-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
Integrate Audit record analysis | CMA_C1120 - Integrate Audit record analysis | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Specify permitted actions associated with customer audit information | CMA_C1122 - Specify permitted actions associated with customer audit information | Manual, Disabled | 1.1.0 |
0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0204.09j2Organizational.1-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Create alternative actions for identified anomalies | CMA_C1711 - Create alternative actions for identified anomalies | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Notify personnel of any failed security verification tests | CMA_C1710 - Notify personnel of any failed security verification tests | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform security function verification at a defined frequency | CMA_C1709 - Perform security function verification at a defined frequency | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Verify security functions | CMA_C1708 - Verify security functions | Manual, Disabled | 1.1.0 |
0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0205.09j2Organizational.2-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0206.09j2Organizational.34-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0207.09j2Organizational.56-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0208.09j2Organizational.7-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
0209.09m3Organizational.7-09.m 09.06 Network Security Management
ID: 0209.09m3Organizational.7-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Facilitate information sharing | CMA_0284 - Facilitate information sharing | Manual, Disabled | 1.1.0 |
Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Manual, Disabled | 1.1.0 |
Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0214.09j1Organizational.6-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0215.09j2Organizational.8-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0216.09j2Organizational.9-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0217.09j2Organizational.10-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review exploit protection events | CMA_0472 - Review exploit protection events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0219.09j2Organizational.12-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code
ID: 0225.09k1Organizational.1-09.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code
ID: 0226.09k1Organizational.2-09.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code
ID: 0227.09k2Organizational.12-09.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code
ID: 0228.09k2Organizational.3-09.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
03 Portable Media Security
0301.09o1Organizational.123-09.o 09.07 Media Handling
ID: 0301.09o1Organizational.123-09.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
0302.09o2Organizational.1-09.o 09.07 Media Handling
ID: 0302.09o2Organizational.1-09.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
0303.09o2Organizational.2-09.o 09.07 Media Handling
ID: 0303.09o2Organizational.2-09.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
0304.09o3Organizational.1-09.o 09.07 Media Handling
ID: 0304.09o3Organizational.1-09.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Require encryption on Data Lake Store accounts | This policy ensures encryption is enabled on all Data Lake Store accounts | deny | 1.0.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.0 |
SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.1 |
0305.09q1Organizational.12-09.q 09.07 Media Handling
ID: 0305.09q1Organizational.12-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
0306.09q1Organizational.3-09.q 09.07 Media Handling
ID: 0306.09q1Organizational.3-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Manual, Disabled | 1.1.0 |
Ensure authorized users protect provided authenticators | CMA_C1339 - Ensure authorized users protect provided authenticators | Manual, Disabled | 1.1.0 |
Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
Facilitate information sharing | CMA_0284 - Facilitate information sharing | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
0307.09q2Organizational.12-09.q 09.07 Media Handling
ID: 0307.09q2Organizational.12-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
0308.09q3Organizational.1-09.q 09.07 Media Handling
ID: 0308.09q3Organizational.1-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
0314.09q3Organizational.2-09.q 09.07 Media Handling
ID: 0314.09q3Organizational.2-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
04 Mobile Device Security
0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking
ID: 0401.01x1System.124579-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking
ID: 0403.01x1System.8-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0405.01y1Organizational.12345678-01.y 01.07 Mobile Computing and Teleworking
ID: 0405.01y1Organizational.12345678-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking
ID: 0407.01y2Organizational.1-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking
ID: 0408.01y3Organizational.12-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
0409.01y3Organizational.3-01.y 01.07 Mobile Computing and Teleworking
ID: 0409.01y3Organizational.3-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking
ID: 0410.01x1System.12-01.xMobileComputingandCommunications Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking
ID: 0415.01y1Organizational.10-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking
ID: 0416.01y3Organizational.4-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0417.01y3Organizational.5-01.y 01.07 Mobile Computing and Teleworking
ID: 0417.01y3Organizational.5-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
0425.01x1System.13-01.x 01.07 Mobile Computing and Teleworking
ID: 0425.01x1System.13-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking
ID: 0426.01x2System.1-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking
ID: 0427.01x2System.2-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking
ID: 0428.01x2System.3-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking
ID: 0429.01x1System.14-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Identification of Risks Related to External Parties
Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations.
ID: 1401.05i1Organizational.1239 - 05.i Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Remote access connections between the organization and external parties are encrypted.
ID: 1402.05i1Organizational.45 - 05.i Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Access granted to external parties is limited to the minimum necessary and granted only for the duration required.
ID: 1403.05i1Organizational.67 - 05.i Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
The identification of risks related to external party access takes into account a minimal set of specifically defined issues.
ID: 1418.05i1Organizational.8 - 05.i Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
05 Wireless Security
0504.09m2Organizational.5-09.m 09.06 Network Security Management
ID: 0504.09m2Organizational.5-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
0505.09m2Organizational.3-09.m 09.06 Network Security Management
ID: 0505.09m2Organizational.3-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
06 Configuration Management
0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0601.06g1Organizational.124-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0602.06g1Organizational.3-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0603.06g2Organizational.1-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0604.06g2Organizational.2-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Analyse data obtained from continuous monitoring | CMA_C1169 - Analyse data obtained from continuous monitoring | Manual, Disabled | 1.1.0 |
Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors for continuous monitoring | CMA_C1168 - Employ independent assessors for continuous monitoring | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
0605.10h1System.12-10.h 10.04 Security of System Files
ID: 0605.10h1System.12-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0613.06h1Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0613.06h1Organizational.12-06.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0614.06h2Organizational.12-06.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
0615.06h2Organizational.3-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0615.06h2Organizational.3-06.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
0618.09b1System.1-09.b 09.01 Documented Operating Procedures
ID: 0618.09b1System.1-09.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0626.10h1System.3-10.h 10.04 Security of System Files
ID: 0626.10h1System.3-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0627.10h1System.45-10.h 10.04 Security of System Files
ID: 0627.10h1System.45-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0628.10h1System.6-10.h 10.04 Security of System Files
ID: 0628.10h1System.6-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes
ID: 0635.10k1Organizational.12-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes
ID: 0636.10k2Organizational.1-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes
ID: 0637.10k2Organizational.2-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes
ID: 0638.10k2Organizational.34569-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes
ID: 0639.10k2Organizational.78-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes
ID: 0640.10k2Organizational.1012-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes
ID: 0641.10k2Organizational.11-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes
ID: 0642.10k3Organizational.12-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes
ID: 0643.10k3Organizational.3-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes
ID: 0644.10k3Organizational.4-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information
ID: 0662.09sCSPOrganizational.2-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
0663.10h1System.7-10.h 10.04 Security of System Files
ID: 0663.10h1System.7-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0669.10hCSPSystem.1-10.h 10.04 Security of System Files
ID: 0669.10hCSPSystem.1-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
0670.10hCSPSystem.2-10.h 10.04 Security of System Files
ID: 0670.10hCSPSystem.2-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
0671.10k1System.1-10.k 10.05 Security In Development and Support Processes
ID: 0671.10k1System.1-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
0672.10k3System.5-10.k 10.05 Security In Development and Support Processes
ID: 0672.10k3System.5-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Prohibit binary/machine-executable code | CMA_C1717 - Prohibit binary/machine-executable code | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 068.06g2Organizational.34-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors for continuous monitoring | CMA_C1168 - Employ independent assessors for continuous monitoring | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 069.06g2Organizational.56-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
07 Vulnerability Management
0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets
ID: 0701.07a1Organizational.12-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
0702.07a1Organizational.3-07.a 07.01 Responsibility for Assets
ID: 0702.07a1Organizational.3-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets
ID: 0703.07a2Organizational.1-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets
ID: 0704.07a3Organizational.12-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets
ID: 0705.07a3Organizational.3-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
0706.10b1System.12-10.b 10.02 Correct Processing in Applications
ID: 0706.10b1System.12-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
0708.10b2System.2-10.b 10.02 Correct Processing in Applications
ID: 0708.10b2System.2-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management
ID: 0709.10m1Organizational.1-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management
ID: 0710.10m2Organizational.1-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management
ID: 0711.10m2Organizational.23-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management
ID: 0712.10m2Organizational.4-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management
ID: 0713.10m2Organizational.5-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate flaw remediation | CMA_0027 - Automate flaw remediation | Manual, Disabled | 1.1.0 |
Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Manual, Disabled | 1.1.0 |
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Manual, Disabled | 1.1.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management
ID: 0714.10m2Organizational.7-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review exploit protection events | CMA_0472 - Review exploit protection events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management
ID: 0716.10m3Organizational.1-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management
ID: 0717.10m3Organizational.2-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management
ID: 0718.10m3Organizational.34-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate flaw remediation | CMA_0027 - Automate flaw remediation | Manual, Disabled | 1.1.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management
ID: 0719.10m3Organizational.5-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets
ID: 0720.07a1Organizational.4-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
0722.07a1Organizational.67-07.a 07.01 Responsibility for Assets
ID: 0722.07a1Organizational.67-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Manual, Disabled | 1.1.0 |
Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Manual, Disabled | 1.1.0 |
Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
0723.07a1Organizational.8-07.a 07.01 Responsibility for Assets
ID: 0723.07a1Organizational.8-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets
ID: 0724.07a3Organizational.4-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets
ID: 0725.07a3Organizational.5-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
0733.10b2System.4-10.b 10.02 Correct Processing in Applications
ID: 0733.10b2System.4-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
0786.10m2Organizational.13-10.m 10.06 Technical Vulnerability Management
ID: 0786.10m2Organizational.13-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management
ID: 0787.10m2Organizational.14-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate flaw remediation | CMA_0027 - Automate flaw remediation | Manual, Disabled | 1.1.0 |
Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Manual, Disabled | 1.1.0 |
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Manual, Disabled | 1.1.0 |
0788.10m3Organizational.20-10.m 10.06 Technical Vulnerability Management
ID: 0788.10m3Organizational.20-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management
ID: 0790.10m3Organizational.22-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review exploit protection events | CMA_0472 - Review exploit protection events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications
ID: 0791.10b2Organizational.4-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
08 Network Protection
0805.01m1Organizational.12-01.m 01.04 Network Access Control
ID: 0805.01m1Organizational.12-01.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0806.01m2Organizational.12356-01.m 01.04 Network Access Control
ID: 0806.01m2Organizational.12356-01.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Manual, Disabled | 1.1.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0808.10b2System.3-10.b 10.02 Correct Processing in Applications
ID: 0808.10b2System.3-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control
ID: 0809.01n2Organizational.1234-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0810.01n2Organizational.5-01.n 01.04 Network Access Control
ID: 0810.01n2Organizational.5-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
08101.09m2Organizational.14-09.m 09.06 Network Security Management
ID: 08101.09m2Organizational.14-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management
ID: 08102.09nCSPOrganizational.1-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0811.01n2Organizational.6-01.n 01.04 Network Access Control
ID: 0811.01n2Organizational.6-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Determine information protection needs | CMA_C1750 - Determine information protection needs | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0812.01n2Organizational.8-01.n 01.04 Network Access Control
ID: 0812.01n2Organizational.8-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0814.01n1Organizational.12-01.n 01.04 Network Access Control
ID: 0814.01n1Organizational.12-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0815.01o2Organizational.123-01.o 01.04 Network Access Control
ID: 0815.01o2Organizational.123-01.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0816.01w1System.1-01.w 01.06 Application and Information Access Control
ID: 0816.01w1System.1-01.w Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Manual, Disabled | 1.1.0 |
Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Manual, Disabled | 1.1.0 |
Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Manual, Disabled | 1.1.0 |
Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Manual, Disabled | 1.1.0 |
Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Manual, Disabled | 1.1.0 |
0817.01w2System.123-01.w 01.06 Application and Information Access Control
ID: 0817.01w2System.123-01.w Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
Ensure system capable of dynamic isolation of resources | CMA_C1638 - Ensure system capable of dynamic isolation of resources | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Manual, Disabled | 1.1.0 |
Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Manual, Disabled | 1.1.0 |
Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
0818.01w3System.12-01.w 01.06 Application and Information Access Control
ID: 0818.01w3System.12-01.w Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Manual, Disabled | 1.1.0 |
Manage availability and capacity | CMA_0356 - Manage availability and capacity | Manual, Disabled | 1.1.0 |
Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
0819.09m1Organizational.23-09.m 09.06 Network Security Management
ID: 0819.09m1Organizational.23-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
0821.09m2Organizational.2-09.m 09.06 Network Security Management
ID: 0821.09m2Organizational.2-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Manual, Disabled | 1.1.0 |
0822.09m2Organizational.4-09.m 09.06 Network Security Management
ID: 0822.09m2Organizational.4-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0824.09m3Organizational.1-09.m 09.06 Network Security Management
ID: 0824.09m3Organizational.1-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
0825.09m3Organizational.23-09.m 09.06 Network Security Management
ID: 0825.09m3Organizational.23-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Manual, Disabled | 1.1.0 |
Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0826.09m3Organizational.45-09.m 09.06 Network Security Management
ID: 0826.09m3Organizational.45-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0828.09m3Organizational.8-09.m 09.06 Network Security Management
ID: 0828.09m3Organizational.8-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Manual, Disabled | 1.1.0 |
0829.09m3Organizational.911-09.m 09.06 Network Security Management
ID: 0829.09m3Organizational.911-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
0830.09m3Organizational.1012-09.m 09.06 Network Security Management
ID: 0830.09m3Organizational.1012-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
0832.09m3Organizational.14-09.m 09.06 Network Security Management
ID: 0832.09m3Organizational.14-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0835.09n1Organizational.1-09.n 09.06 Network Security Management
ID: 0835.09n1Organizational.1-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
0836.09.n2Organizational.1-09.n 09.06 Network Security Management
ID: 0836.09.n2Organizational.1-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0837.09.n2Organizational.2-09.n 09.06 Network Security Management
ID: 0837.09.n2Organizational.2-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0850.01o1Organizational.12-01.o 01.04 Network Access Control
ID: 0850.01o1Organizational.12-01.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
0858.09m1Organizational.4-09.m 09.06 Network Security Management
ID: 0858.09m1Organizational.4-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0859.09m1Organizational.78-09.m 09.06 Network Security Management
ID: 0859.09m1Organizational.78-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
0860.09m1Organizational.9-09.m 09.06 Network Security Management
ID: 0860.09m1Organizational.9-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | deployIfNotExists | 2.0.1 |
Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
0861.09m2Organizational.67-09.m 09.06 Network Security Management
ID: 0861.09m2Organizational.67-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0862.09m2Organizational.8-09.m 09.06 Network Security Management
ID: 0862.09m2Organizational.8-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
0863.09m2Organizational.910-09.m 09.06 Network Security Management
ID: 0863.09m2Organizational.910-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
0864.09m2Organizational.12-09.m 09.06 Network Security Management
ID: 0864.09m2Organizational.12-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Establish voip usage restrictions | CMA_0280 - Establish voip usage restrictions | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0865.09m2Organizational.13-09.m 09.06 Network Security Management
ID: 0865.09m2Organizational.13-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Manual, Disabled | 1.1.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0866.09m3Organizational.1516-09.m 09.06 Network Security Management
ID: 0866.09m3Organizational.1516-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
0868.09m3Organizational.18-09.m 09.06 Network Security Management
ID: 0868.09m3Organizational.18-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0869.09m3Organizational.19-09.m 09.06 Network Security Management
ID: 0869.09m3Organizational.19-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
0870.09m3Organizational.20-09.m 09.06 Network Security Management
ID: 0870.09m3Organizational.20-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
0871.09m3Organizational.22-09.m 09.06 Network Security Management
ID: 0871.09m3Organizational.22-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
0885.09n2Organizational.3-09.n 09.06 Network Security Management
ID: 0885.09n2Organizational.3-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0886.09n2Organizational.4-09.n 09.06 Network Security Management
ID: 0886.09n2Organizational.4-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Manual, Disabled | 1.1.0 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
0887.09n2Organizational.5-09.n 09.06 Network Security Management
ID: 0887.09n2Organizational.5-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0888.09n2Organizational.6-09.n 09.06 Network Security Management
ID: 0888.09n2Organizational.6-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
0894.01m2Organizational.7-01.m 01.04 Network Access Control
ID: 0894.01m2Organizational.7-01.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Deploy network watcher when virtual networks are created | This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. | DeployIfNotExists | 1.0.0 |
Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
Back-up
Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices.
ID: 1699.09l1Organizational.10 - 09.l Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
Network Controls
Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends).
ID: 0867.09m3Organizational.17 - 09.m Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
On-line Transactions
The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction.
ID: 0946.09y2Organizational.14 - 09.y Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
09 Transmission Protection
0901.09s1Organizational.1-09.s 09.08 Exchange of Information
ID: 0901.09s1Organizational.1-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
0902.09s2Organizational.13-09.s 09.08 Exchange of Information
ID: 0902.09s2Organizational.13-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Authorize remote access to privileged commands | CMA_C1064 - Authorize remote access to privileged commands | Manual, Disabled | 1.1.0 |
Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Provide capability to disconnect or disable remote access | CMA_C1066 - Provide capability to disconnect or disable remote access | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls
ID: 0903.10f1Organizational.1-10.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls
ID: 0904.10f2Organizational.1-10.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
0912.09s1Organizational.4-09.s 09.08 Exchange of Information
ID: 0912.09s1Organizational.4-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0913.09s1Organizational.5-09.s 09.08 Exchange of Information
ID: 0913.09s1Organizational.5-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
0914.09s1Organizational.6-09.s 09.08 Exchange of Information
ID: 0914.09s1Organizational.6-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
0915.09s2Organizational.2-09.s 09.08 Exchange of Information
ID: 0915.09s2Organizational.2-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
0916.09s2Organizational.4-09.s 09.08 Exchange of Information
ID: 0916.09s2Organizational.4-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Manual, Disabled | 1.1.1 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
0926.09v1Organizational.2-09.v 09.08 Exchange of Information
ID: 0926.09v1Organizational.2-09.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
0927.09v1Organizational.3-09.v 09.08 Exchange of Information
ID: 0927.09v1Organizational.3-09.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
0928.09v1Organizational.45-09.v 09.08 Exchange of Information
ID: 0928.09v1Organizational.45-09.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0929.09v1Organizational.6-09.v 09.08 Exchange of Information
ID: 0929.09v1Organizational.6-09.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services
ID: 0943.09y1Organizational.1-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Document process to ensure integrity of PII | CMA_C1827 - Document process to ensure integrity of PII | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services
ID: 0944.09y1Organizational.2-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services
ID: 0945.09y1Organizational.3-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | auditIfNotExists | 3.0.0 |
Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services
ID: 0947.09y2Organizational.2-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Restrict location of information processing, storage and services | CMA_C1593 - Restrict location of information processing, storage and services | Manual, Disabled | 1.1.0 |
Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services
ID: 0948.09y2Organizational.3-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Distribute authenticators | CMA_0184 - Distribute authenticators | Manual, Disabled | 1.1.0 |
Enforce random unique session identifiers | CMA_0247 - Enforce random unique session identifiers | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Manual, Disabled | 1.1.0 |
0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services
ID: 0949.09y2Organizational.5-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Manual, Disabled | 1.1.0 |
0960.09sCSPOrganizational.1-09.s 09.08 Exchange of Information
ID: 0960.09sCSPOrganizational.1-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
099.09m2Organizational.11-09.m 09.06 Network Security Management
ID: 099.09m2Organizational.11-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
10 Password Management
1002.01d1System.1-01.d 01.02 Authorized Access to Information Systems
ID: 1002.01d1System.1-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
1003.01d1System.3-01.d 01.02 Authorized Access to Information Systems
ID: 1003.01d1System.3-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems
ID: 1004.01d1System.8913-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems
ID: 1005.01d1System.1011-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems
ID: 1006.01d2System.1-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
Generate error messages | CMA_C1724 - Generate error messages | Manual, Disabled | 1.1.0 |
Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
1007.01d2System.2-01.d 01.02 Authorized Access to Information Systems
ID: 1007.01d2System.2-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems
ID: 1008.01d2System.3-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems
ID: 1009.01d2System.4-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems
ID: 1014.01d1System.12-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems
ID: 1015.01d1System.14-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems
ID: 1022.01d1System.15-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems
ID: 1031.01d1System.34510-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
11 Access Control
1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems
ID: 1106.01b1System.1-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems
ID: 1107.01b1System.2-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|