Details of the Spain ENS Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in Spain ENS. For more information about this compliance standard, see Spain ENS. To understand Ownership, review the policy type and Shared responsibility in the cloud.

The following mappings are to the Spain ENS controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the Spain ENS Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Protective Measures

Protection of communications

ID: ENS v1 mp.com.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Azure Attestation providers should disable public network access To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.1.0
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 3.2.1
Azure SignalR Service should disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 1.1.0
Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Audit, Deny, Disabled 1.0.0
Azure Web Application Firewall on Azure Front Door should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Audit, Deny, Disabled 1.0.0
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
Configure key vaults to enable firewall Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Modify, Disabled 1.1.1
Configure storage accounts to disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Modify, Disabled 1.0.1
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. Audit, Deny, Disabled 1.0.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
IP firewall rules on Azure Synapse workspaces should be removed Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
MariaDB server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. AuditIfNotExists, Disabled 1.0.2
Migrate WAF from WAF Config to WAF Policy on Application Gateway If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. Audit, Deny, Disabled 1.0.0
Modify Azure SignalR Service resources to disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Modify, Disabled 1.1.0
MySQL server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. AuditIfNotExists, Disabled 1.0.2
PostgreSQL server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. AuditIfNotExists, Disabled 1.0.2
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Public network access on Azure Data Explorer should be disabled Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.0.0
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Public network access should be disabled for IoT Central To improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 1.0.0
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0
Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.1.0
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0
Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Audit, Deny, Disabled 3.1.0
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.1
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Storage accounts should disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 1.0.1
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. AuditIfNotExists 1.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0
Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Audit, Deny, Disabled 1.0.0
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Audit, Deny, Disabled 1.0.0
Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

Protection of communications

ID: ENS v1 mp.com.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Protection of communications

ID: ENS v1 mp.com.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation AuditIfNotExists, Disabled 2.1.0-deprecated
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 2.0.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Protection of communications

ID: ENS v1 mp.com.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Protection of equipment

ID: ENS v1 mp.eq.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Protection of equipment

ID: ENS v1 mp.eq.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

Protection of equipment

ID: ENS v1 mp.eq.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Protection of equipment

ID: ENS v1 mp.eq.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Categorize information CMA_0052 - Categorize information Manual, Disabled 1.1.0
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop business classification schemes CMA_0155 - Develop business classification schemes Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

Protection of facilities and infrastructure

ID: ENS v1 mp.if.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Protection of facilities and infrastructure

ID: ENS v1 mp.if.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Protection of facilities and infrastructure

ID: ENS v1 mp.if.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Employ automatic emergency lighting CMA_0209 - Employ automatic emergency lighting Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Protection of facilities and infrastructure

ID: ENS v1 mp.if.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Employ automatic emergency lighting CMA_0209 - Employ automatic emergency lighting Manual, Disabled 1.1.0
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Manual, Disabled 1.1.0
Test the business continuity and disaster recovery plan CMA_0509 - Test the business continuity and disaster recovery plan Manual, Disabled 1.1.0

Protection of facilities and infrastructure

ID: ENS v1 mp.if.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Protection of facilities and infrastructure

ID: ENS v1 mp.if.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Protection of facilities and infrastructure

ID: ENS v1 mp.if.7 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Manual, Disabled 1.1.0
Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Information protection

ID: ENS v1 mp.info.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Manage compliance activities CMA_0358 - Manage compliance activities Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Information protection

ID: ENS v1 mp.info.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Categorize information CMA_0052 - Categorize information Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop business classification schemes CMA_0155 - Develop business classification schemes Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Manual, Disabled 1.1.1
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Information protection

ID: ENS v1 mp.info.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

Information protection

ID: ENS v1 mp.info.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Compile Audit records into system wide audit CMA_C1140 - Compile Audit records into system wide audit Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Use system clocks for audit records CMA_0535 - Use system clocks for audit records Manual, Disabled 1.1.0

Information protection

ID: ENS v1 mp.info.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

Information protection

ID: ENS v1 mp.info.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies DeployIfNotExists, AuditIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies DeployIfNotExists, AuditIfNotExists, Disabled 2.0.0-preview
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Staff management

ID: ENS v1 mp.per.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0

Staff management

ID: ENS v1 mp.per.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

Staff management

ID: ENS v1 mp.per.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0

Staff management

ID: ENS v1 mp.per.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0

Protection of services

ID: ENS v1 mp.s.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0

Protection of services

ID: ENS v1 mp.s.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish privacy requirements for contractors and service providers CMA_C1810 - Establish privacy requirements for contractors and service providers Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Manage compliance activities CMA_0358 - Manage compliance activities Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Protection of services

ID: ENS v1 mp.s.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service app slots should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Audit, Deny, Disabled 1.0.0
App Service app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0
App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Audit, Deny, Disabled 3.0.0
App Service apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. AuditIfNotExists, Disabled 2.0.1
App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 4.0.0
Azure Application Gateway should have Resource logs enabled Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. AuditIfNotExists, Disabled 1.0.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Front Door should have Resource logs enabled Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. AuditIfNotExists, Disabled 1.0.0
Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. AuditIfNotExists, Disabled 1.0.0
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit, Disabled 1.0.2
Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Audit, Deny, Disabled 1.0.0
Azure Web Application Firewall on Azure Front Door should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Audit, Deny, Disabled 1.0.0
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
Azure Web PubSub Service should disable public network access Disabling public network access improves security by ensuring that Azure Web PubSub service isn't exposed on the public internet. Creating private endpoints can limit exposure of Azure Web PubSub service. Learn more at: https://aka.ms/awps/networkacls. Audit, Deny, Disabled 1.0.0
Azure Web PubSub Service should enable diagnostic logs Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 1.0.0
Azure Web PubSub Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication. Audit, Deny, Disabled 1.0.0
Azure Web PubSub Service should use a SKU that supports private link With supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Deny, Disabled 1.0.0
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Disabled 1.0.0
Configure a private DNS Zone ID for web groupID Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure a private DNS Zone ID for web_secondary groupID Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for App Service to be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. DeployIfNotExists, Disabled 1.0.1
Configure Azure Web PubSub Service to disable local authentication Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication. Modify, Disabled 1.0.0
Configure Azure Web PubSub Service to disable public network access Disable public network access for your Azure Web PubSub resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/awps/networkacls. Modify, Disabled 1.0.0
Configure Azure Web PubSub Service to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink. DeployIfNotExists, Disabled 1.0.0
Configure Azure Web PubSub Service with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. DeployIfNotExists, Disabled 1.0.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. Audit, Deny, Disabled 1.0.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Function app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0
Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 4.0.0
Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on Website Microsoft implements this Data Quality and Integrity control audit 1.0.0
Microsoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website Publication Microsoft implements this Transparency control audit 1.0.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Publish Computer Matching Agreements on public website CMA_C1829 - Publish Computer Matching Agreements on public website Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0
Web Application Firewall (WAF) should use the specified mode for Application Gateway Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Audit, Deny, Disabled 1.0.0
Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Audit, Deny, Disabled 1.0.0

Protection of services

ID: ENS v1 mp.s.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure DDoS Protection should be enabled DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.1
Conduct capacity planning CMA_C1252 - Conduct capacity planning Manual, Disabled 1.1.0
Develop and document a DDoS response plan CMA_0147 - Develop and document a DDoS response plan Manual, Disabled 1.1.0
Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. Audit, Deny, Disabled 1.0.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Public IP addresses should have resource logs enabled for Azure DDoS Protection Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. AuditIfNotExists, DeployIfNotExists, Disabled 1.0.1
Virtual networks should be protected by Azure DDoS Protection Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. Modify, Audit, Disabled 1.0.1

Protection of information media

ID: ENS v1 mp.si.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Categorize information CMA_0052 - Categorize information Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Develop business classification schemes CMA_0155 - Develop business classification schemes Manual, Disabled 1.1.0
Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0

Protection of information media

ID: ENS v1 mp.si.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Protection of information media

ID: ENS v1 mp.si.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Define requirements for managing assets CMA_0125 - Define requirements for managing assets Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Employ automated training environment CMA_C1357 - Employ automated training environment Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Retain training records CMA_0456 - Retain training records Manual, Disabled 1.1.0
Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Manual, Disabled 1.1.0

Protection of information media

ID: ENS v1 mp.si.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Manual, Disabled 1.1.0
Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Manual, Disabled 1.1.0
Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0

Protection of information media

ID: ENS v1 mp.si.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Protection of IT applications

ID: ENS v1 mp.sw.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Implement controls to protect PII CMA_C1839 - Implement controls to protect PII Manual, Disabled 1.1.0
Incorporate security and data privacy practices in research processing CMA_0331 - Incorporate security and data privacy practices in research processing Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0
Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0
Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Protection of IT applications

ID: ENS v1 mp.sw.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Assign an authorizing official (AO) CMA_C1158 - Assign an authorizing official (AO) Manual, Disabled 1.1.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Ensure resources are authorized CMA_C1159 - Ensure resources are authorized Manual, Disabled 1.1.0
Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Function apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. AuditIfNotExists, Disabled 4.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Implement controls to protect PII CMA_C1839 - Implement controls to protect PII Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Incorporate security and data privacy practices in research processing CMA_0331 - Incorporate security and data privacy practices in research processing Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Operational framework

Access control

ID: ENS v1 op.acc.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Assign system identifiers CMA_0018 - Assign system identifiers Manual, Disabled 1.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 3.1.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Prevent identifier reuse for the defined time period CMA_C1314 - Prevent identifier reuse for the defined time period Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Access control

ID: ENS v1 op.acc.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 3.1.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 3.1.0
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the minimum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters AuditIfNotExists, Disabled 2.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Generate error messages CMA_C1724 - Generate error messages Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Reveal error messages CMA_C1725 - Reveal error messages Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Manual, Disabled 1.1.0
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Access control

ID: ENS v1 op.acc.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Access control

ID: ENS v1 op.acc.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Access control

ID: ENS v1 op.acc.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 3.1.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Generate error messages CMA_C1724 - Generate error messages Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Reveal error messages CMA_C1725 - Reveal error messages Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Manual, Disabled 1.1.0
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Access control

ID: ENS v1 op.acc.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation AuditIfNotExists, Disabled 2.1.0-deprecated
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 2.0.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Generate error messages CMA_C1724 - Generate error messages Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Reveal error messages CMA_C1725 - Reveal error messages Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Continuity of service

ID: ENS v1 op.cont.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Manual, Disabled 1.1.0
Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Manual, Disabled 1.1.0
Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1244 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1245 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1246 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1247 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1248 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1249 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1250 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1257 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1258 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1259 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1260 - Contingency Training | Simulated Events Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1261 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1262 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1263 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1267 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1268 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1272 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1273 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1274 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1279 - Telecommunications Services Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1287 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1288 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1289 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1290 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1295 - Information System Recovery And Reconstitution Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period Microsoft implements this Contingency Planning control audit 1.0.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Manual, Disabled 1.1.0
Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

Continuity of service

ID: ENS v1 op.cont.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Manual, Disabled 1.1.0
Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Manual, Disabled 1.1.0
Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1244 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1245 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1246 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1247 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1248 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1249 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1250 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1257 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1258 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1259 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1260 - Contingency Training | Simulated Events Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1261 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1262 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1263 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1267 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1268 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1272 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1273 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1274 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1279 - Telecommunications Services Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1287 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1288 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1289 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1290 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1295 - Information System Recovery And Reconstitution Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period Microsoft implements this Contingency Planning control audit 1.0.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Manual, Disabled 1.1.0
Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

Continuity of service

ID: ENS v1 op.cont.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Recovery Services vaults should use private link for backup Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Audit, Disabled 2.0.0-preview
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. DeployIfNotExists, Disabled 1.0.1-preview
[Preview]: Configure Recovery Services vaults to use private endpoints for backup Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Modify, Disabled 1.1.0-preview
[Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Audit, Disabled 1.0.1-preview
[Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Audit, Disabled 1.0.1-preview
[Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete Audit, Disabled 1.0.0-preview
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Manual, Disabled 1.1.0
Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Manual, Disabled 1.1.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1244 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1245 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1246 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1247 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1248 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1249 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1250 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1257 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1258 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1259 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1260 - Contingency Training | Simulated Events Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1261 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1262 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1263 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1267 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1268 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1272 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1273 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1274 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1279 - Telecommunications Services Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1287 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1288 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1289 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1290 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1295 - Information System Recovery And Reconstitution Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period Microsoft implements this Contingency Planning control audit 1.0.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
SQL Database should avoid using GRS backup redundancy Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
SQL Managed Instances should avoid using GRS backup redundancy Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

Continuity of service

ID: ENS v1 op.cont.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Recovery Services vaults should use private link for backup Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Audit, Disabled 2.0.0-preview
[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies DeployIfNotExists, AuditIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies DeployIfNotExists, AuditIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. DeployIfNotExists, Disabled 1.0.1-preview
[Preview]: Configure Recovery Services vaults to use private endpoints for backup Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Modify, Disabled 1.1.0-preview
[Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Audit, Disabled 1.0.1-preview
[Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Audit, Disabled 1.0.1-preview
[Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete Audit, Disabled 1.0.0-preview
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Manual, Disabled 1.1.0
Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Manual, Disabled 1.1.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1244 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1245 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1246 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1247 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1248 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1249 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1250 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1257 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1258 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1259 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1260 - Contingency Training | Simulated Events Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1261 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1262 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1263 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1267 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1268 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1272 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1273 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1274 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1279 - Telecommunications Services Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1287 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1288 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1289 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1290 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1295 - Information System Recovery And Reconstitution Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period Microsoft implements this Contingency Planning control audit 1.0.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
SQL Database should avoid using GRS backup redundancy Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
SQL Managed Instances should avoid using GRS backup redundancy Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0

Operation

ID: ENS v1 op.exp.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.3.0-preview
[Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.5.0-preview
[Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.4.0-preview
[Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.1.0-preview
[Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.1.0-preview
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0
Microsoft Managed Control 1222 - Information System Component Inventory Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1223 - Information System Component Inventory Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1739 - Information System Inventory Microsoft implements this Program Management control audit 1.0.0
Microsoft Managed Control 1854 - Inventory of Personally Identifiable Information Microsoft implements this Security control audit 1.0.0
Microsoft Managed Control 1855 - Inventory of Personally Identifiable Information Microsoft implements this Security control audit 1.0.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Operation

ID: ENS v1 op.exp.10 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Key Vault Managed HSM keys should have an expiration date To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.1-preview
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 3.1.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled, Deny 1.0.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Implement cryptographic mechanisms CMA_C1419 - Implement cryptographic mechanisms Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.2
Keys should be backed by a hardware security module (HSM) An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Audit, Deny, Disabled 1.0.1
Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Audit, Deny, Disabled 1.0.1
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1345 - Cryptographic Module Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1419 - Remote Maintenance | Cryptographic Protection Microsoft implements this Maintenance control audit 1.0.1
Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Queue Storage should use customer-managed key for encryption Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Deny, Disabled 1.0.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Storage accounts should use customer-managed key for encryption Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled 1.0.3
Table Storage should use customer-managed key for encryption Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Deny, Disabled 1.0.0
Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Operation

ID: ENS v1 op.exp.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. [parameters('effects')] 1.0.3
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. AuditIfNotExists, Disabled 1.0.1
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. AuditIfNotExists, Disabled 1.0.1
Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. DeployIfNotExists, Disabled 4.0.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Manual, Disabled 1.1.0
Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Microsoft Managed Control 1174 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1175 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1230 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1231 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1232 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1233 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1234 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1235 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1236 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1238 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1239 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1240 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1594 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1595 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1596 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1597 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1598 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1712 - Software & Information Integrity Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable Code Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable Code Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1834 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control audit 1.0.0
Microsoft Managed Control 1835 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control audit 1.0.0
Microsoft Managed Control 1836 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control audit 1.0.0
Microsoft Managed Control 1837 - Data Retention And Disposal | System Configuration Microsoft implements this Data Minimization and Retention control audit 1.0.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Restrict unauthorized software and firmware installation CMA_C1205 - Restrict unauthorized software and firmware installation Manual, Disabled 1.1.0
Restrict use of open source software CMA_C1237 - Restrict use of open source software Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. DeployIfNotExists, Disabled 1.0.0-preview
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Operation

ID: ENS v1 op.exp.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. [parameters('effects')] 1.0.3
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. AuditIfNotExists, Disabled 1.0.1
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. AuditIfNotExists, Disabled 1.0.1
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. DeployIfNotExists, Disabled 4.0.0
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Manual, Disabled 1.1.0
Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1174 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1175 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1230 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1231 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1232 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1233 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1234 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1235 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1236 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1238 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1239 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1240 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1287 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1288 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1289 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1290 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1594 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1595 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1596 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1597 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1598 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1712 - Software & Information Integrity Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable Code Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable Code Microsoft implements this System and Information Integrity control audit 1.0.1
Microsoft Managed Control 1834 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control audit 1.0.0
Microsoft Managed Control 1835 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control audit 1.0.0
Microsoft Managed Control 1836 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control audit 1.0.0
Microsoft Managed Control 1837 - Data Retention And Disposal | System Configuration Microsoft implements this Data Minimization and Retention control audit 1.0.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Restrict unauthorized software and firmware installation CMA_C1205 - Restrict unauthorized software and firmware installation Manual, Disabled 1.1.0
Restrict use of open source software CMA_C1237 - Restrict use of open source software Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. DeployIfNotExists, Disabled 1.0.0-preview
SQL Database should avoid using GRS backup redundancy Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
SQL Managed Instances should avoid using GRS backup redundancy Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Operation

ID: ENS v1 op.exp.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
App Service apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. AuditIfNotExists, Disabled 4.1.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Manual, Disabled 1.1.0
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. AuditIfNotExists, Disabled 1.0.1
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. AuditIfNotExists, Disabled 1.0.1
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. DeployIfNotExists, Disabled 4.0.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Microsoft Managed Control 1174 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1175 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1230 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1231 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1232 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1233 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1594 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1595 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1596 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1597 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1598 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses Microsoft implements this System and Services Acquisition control audit 1.0.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Manual, Disabled 1.1.0
Provide timely maintenance support CMA_C1425 - Provide timely maintenance support Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. DeployIfNotExists, Disabled 1.0.0-preview
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Operation

ID: ENS v1 op.exp.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. AuditIfNotExists, Disabled 1.0.1
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. AuditIfNotExists, Disabled 1.0.1
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. DeployIfNotExists, Disabled 4.0.0
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Microsoft Managed Control 1174 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1175 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1230 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1231 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1232 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1233 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1594 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1595 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1596 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1597 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1598 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses Microsoft implements this System and Services Acquisition control audit 1.0.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. DeployIfNotExists, Disabled 1.0.0-preview
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Operation

ID: ENS v1 op.exp.6 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for open-source relational databases should be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Audit, Disabled 2.0.1
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. AuditIfNotExists, Disabled 1.0.1
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. AuditIfNotExists, Disabled 1.0.1
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). DeployIfNotExists, Disabled 1.2.0
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. DeployIfNotExists, Disabled 1.5.0
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. DeployIfNotExists, Disabled 1.7.0
Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. DeployIfNotExists, Disabled 1.1.0
Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. DeployIfNotExists, Disabled 1.3.0
Configure Azure Defender for App Service to be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. DeployIfNotExists, Disabled 1.0.1
Configure Azure Defender for Azure SQL database to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. DeployIfNotExists, Disabled 1.0.1
Configure Azure Defender for open-source relational databases to be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center DeployIfNotExists, Disabled 1.0.0
Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . DeployIfNotExists, Disabled 1.1.0
Configure Azure Defender for servers to be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. DeployIfNotExists, Disabled 1.0.1
Configure Azure Defender for SQL servers on machines to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. DeployIfNotExists, Disabled 1.0.1
Configure Azure Defender to be enabled on SQL managed instances Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 2.0.0
Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. DeployIfNotExists, Disabled 4.3.0
Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. DeployIfNotExists, Disabled 1.1.0
Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. DeployIfNotExists, Disabled 4.0.0
Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. DeployIfNotExists, Disabled 1.0.2
Configure Microsoft Defender for Azure Cosmos DB to be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. DeployIfNotExists, Disabled 1.0.0
Configure Microsoft Defender for Containers to be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. DeployIfNotExists, Disabled 1.0.1
Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. DeployIfNotExists, Disabled 1.1.0
Configure Microsoft Defender for SQL to be enabled on Synapse workspaces Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. DeployIfNotExists, Disabled 1.0.0
Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. DeployIfNotExists, Disabled 1.0.2
Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. DeployIfNotExists, Disabled 1.4.0
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). DeployIfNotExists, Disabled 1.5.0
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. DeployIfNotExists, Disabled 1.7.0
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. DeployIfNotExists, Disabled 1.8.0
Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. DeployIfNotExists, Disabled 1.4.0
Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Manual, Disabled 1.1.0
Deploy Defender for Storage (Classic) on storage accounts This policy enables Defender for Storage (Classic) on storage accounts. DeployIfNotExists, Disabled 1.0.1
Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. DeployIfNotExists, Disabled 1.0.0
Enable Microsoft Defender for Cloud on your subscription Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. deployIfNotExists 1.0.1
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Manual, Disabled 1.1.0
Microsoft Defender CSPM should be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. AuditIfNotExists, Disabled 1.0.3
Microsoft Defender for Azure Cosmos DB should be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. Audit, Disabled 1.0.1
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. DeployIfNotExists, Disabled 1.0.0-preview
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 2.0.0
Windows machines should configure Windows Defender to update protection signatures within one day To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Windows machines should enable Windows Defender Real-time protection Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1

Operation

ID: ENS v1 op.exp.7 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address information security issues CMA_C1742 - Address information security issues Manual, Disabled 1.1.0
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Manual, Disabled 1.1.0
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.2.0
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Generate internal security alerts CMA_C1704 - Generate internal security alerts Manual, Disabled 1.1.0
Identify incident response personnel CMA_0301 - Identify incident response personnel Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Manual, Disabled 1.1.0
Implement security directives CMA_C1706 - Implement security directives Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Manual, Disabled 1.1.0
Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 9.3.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Manual, Disabled 1.1.0
Microsoft Managed Control 1351 - Incident Response Policy And Procedures Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1352 - Incident Response Policy And Procedures Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1353 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1354 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1355 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1356 - Incident Response Training | Simulated Events Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1358 - Incident Response Testing Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1360 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1361 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1362 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1366 - Incident Handling | Information Correlation Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1369 - Incident Monitoring Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1371 - Incident Reporting Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1372 - Incident Reporting Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1374 - Incident Response Assistance Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1378 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1379 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1380 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1381 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1382 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1383 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1384 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1385 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1386 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1387 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1388 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1389 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1391 - Information Spillage Response | Training Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1728 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1856 - Privacy Incident Response Microsoft implements this Security control audit 1.0.0
Microsoft Managed Control 1857 - Privacy Incident Response Microsoft implements this Security control audit 1.0.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. AuditIfNotExists, Disabled 1.1.0
Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. AuditIfNotExists, Disabled 1.0.1
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 3.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Operation

ID: ENS v1 op.exp.8 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1-preview
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
App Service app slots should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 1.0.0
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Azure SignalR Service should enable diagnostic logs Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 1.0.0
Azure Web PubSub Service should enable diagnostic logs Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 1.0.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Compile Audit records into system wide audit CMA_C1140 - Compile Audit records into system wide audit Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Manual, Disabled 1.1.1
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Enforce and audit access restrictions CMA_C1203 - Enforce and audit access restrictions Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Implement methods for consumer requests CMA_0319 - Implement methods for consumer requests Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0
Publish access procedures in SORNs CMA_C1848 - Publish access procedures in SORNs Manual, Disabled 1.1.0
Publish rules and regulations accessing Privacy Act records CMA_C1847 - Publish rules and regulations accessing Privacy Act records Manual, Disabled 1.1.0
Resource logs in Azure Kubernetes Service should be enabled Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed AuditIfNotExists, Disabled 1.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.1.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 2.0.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0
Use system clocks for audit records CMA_0535 - Use system clocks for audit records Manual, Disabled 1.1.0

Operation

ID: ENS v1 op.exp.9 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

External resources

ID: ENS v1 op.ext.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

External resources

ID: ENS v1 op.ext.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

External resources

ID: ENS v1 op.ext.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Microsoft Managed Control 1608 - Supply Chain Protection Microsoft implements this System and Services Acquisition control audit 1.0.0

External resources

ID: ENS v1 op.ext.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 3.1.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 3.1.0
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enable detection of network devices CMA_0220 - Enable detection of network devices Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

System monitoring

ID: ENS v1 op.mon.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All flow log resources should be in enabled state Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.1
Audit flow logs configuration for every virtual network Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.1
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Manual, Disabled 1.1.1
Flow logs should be configured for every network security group Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System Microsoft implements this System and Information Integrity control audit 1.0.0
Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection Microsoft implements this System and Information Integrity control audit 1.0.0
Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on Website Microsoft implements this Data Quality and Integrity control audit 1.0.0
Microsoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website Publication Microsoft implements this Transparency control audit 1.0.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Publish Computer Matching Agreements on public website CMA_C1829 - Publish Computer Matching Agreements on public website Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 2.0.0

System monitoring

ID: ENS v1 op.mon.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

System monitoring

ID: ENS v1 op.mon.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. AuditIfNotExists, Disabled 1.0.1
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. AuditIfNotExists, Disabled 1.0.1
Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. DeployIfNotExists, Disabled 4.0.0
Configure Microsoft Defender for Azure Cosmos DB to be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. DeployIfNotExists, Disabled 1.0.0
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Microsoft Defender for Azure Cosmos DB should be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1174 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1175 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1230 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1231 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1232 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1233 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1594 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1595 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1596 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1597 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1598 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses Microsoft implements this System and Services Acquisition control audit 1.0.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Security Center standard pricing tier should be selected The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Audit, Disabled 1.1.0
Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. DeployIfNotExists, Disabled 1.0.0-preview
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Cloud services

ID: ENS v1 op.nub.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Cloud Services (extended support) role instances should be configured securely Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. AuditIfNotExists, Disabled 1.0.0
Cloud Services (extended support) role instances should have system updates installed Secure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them. AuditIfNotExists, Disabled 1.0.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Log Analytics agent should be installed on your Cloud Services (extended support) role instances Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 2.0.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

Planning

ID: ENS v1 op.pl.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Assign risk designations CMA_0016 - Assign risk designations Manual, Disabled 1.1.0
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. DeployIfNotExists, Disabled 1.0.2
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Microsoft Defender CSPM should be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1538 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1539 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1540 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1541 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1542 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1543 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1544 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1545 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk Microsoft implements this System and Information Integrity control audit 1.0.0
Microsoft Managed Control 1743 - Risk Management Strategy Microsoft implements this Program Management control audit 1.0.0
Microsoft Managed Control 1744 - Risk Management Strategy Microsoft implements this Program Management control audit 1.0.0
Microsoft Managed Control 1745 - Risk Management Strategy Microsoft implements this Program Management control audit 1.0.0
Microsoft Managed Control 1802 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1803 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1804 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1805 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1806 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1807 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1808 - Privacy Impact And Risk Assessment Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1809 - Privacy Impact And Risk Assessment Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1810 - Privacy Requirements for Contractors And Service Providers Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1811 - Privacy Requirements for Contractors And Service Providers Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1812 - Privacy Monitoring And Auditing Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1813 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1814 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1815 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1816 - Privacy Reporting Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1817 - Privacy-Enhanced System Design And Development Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1818 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1819 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1820 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control audit 1.0.0
Microsoft Managed Control 1840 - Minimization of PII Used in Testing, Training, And Research | Risk Minimization Techniques Microsoft implements this Data Minimization and Retention control audit 1.0.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

Planning

ID: ENS v1 op.pl.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop an enterprise architecture CMA_C1741 - Develop an enterprise architecture Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0
Microsoft Managed Control 1503 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1504 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1505 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1612 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1613 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1614 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1741 - Enterprise Architecture Microsoft implements this Program Management control audit 1.0.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Perform information input validation CMA_C1723 - Perform information input validation Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0
Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Manual, Disabled 1.1.0
Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Planning

ID: ENS v1 op.pl.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Manual, Disabled 1.1.0
Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0

Planning

ID: ENS v1 op.pl.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Conduct capacity planning CMA_C1252 - Conduct capacity planning Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Manage availability and capacity CMA_0356 - Manage availability and capacity Manual, Disabled 1.1.0
Microsoft Managed Control 1110 - Audit Storage Capacity Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning Microsoft implements this Contingency Planning control audit 1.0.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0

Planning

ID: ENS v1 op.pl.5 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0

Organizational framework

Organizational framework

ID: ENS v1 org.1 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Designate individuals to fulfill specific roles and responsibilities CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document and implement privacy complaint procedures CMA_0189 - Document and implement privacy complaint procedures Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Manual, Disabled 1.1.0
Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Establish privacy requirements for contractors and service providers CMA_C1810 - Establish privacy requirements for contractors and service providers Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement formal sanctions process CMA_0317 - Implement formal sanctions process Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Manage compliance activities CMA_0358 - Manage compliance activities Manual, Disabled 1.1.0
Manage security state of information systems CMA_C1746 - Manage security state of information systems Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Organizational framework

ID: ENS v1 org.2 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Manual, Disabled 1.1.0
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Generate internal security alerts CMA_C1704 - Generate internal security alerts Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Implement security directives CMA_C1706 - Implement security directives Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Manual, Disabled 1.1.0
Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Manual, Disabled 1.1.0
Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Organizational framework

ID: ENS v1 org.3 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Distribute information system documentation CMA_C1584 - Distribute information system documentation Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document customer-defined actions CMA_C1582 - Document customer-defined actions Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document organizational access agreements CMA_0192 - Document organizational access agreements Manual, Disabled 1.1.0
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Manual, Disabled 1.1.1
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Manual, Disabled 1.1.0
Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Manual, Disabled 1.1.0
Prohibit unfair practices CMA_0396 - Prohibit unfair practices Manual, Disabled 1.1.0
Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Require users to sign access agreement CMA_0440 - Require users to sign access agreement Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Update organizational access agreements CMA_0520 - Update organizational access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Manual, Disabled 1.1.0
Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0

Organizational framework

ID: ENS v1 org.4 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0
Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Manual, Disabled 1.1.0
Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Manual, Disabled 1.1.0
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Manual, Disabled 1.1.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control use of portable storage devices CMA_0083 - Control use of portable storage devices Manual, Disabled 1.1.0
Create configuration plan protection CMA_C1233 - Create configuration plan protection Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Manual, Disabled 1.1.0
Define mobile device requirements CMA_0122 - Define mobile device requirements Manual, Disabled 1.1.0
Designate individuals to fulfill specific roles and responsibilities CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Manual, Disabled 1.1.0
Develop configuration management plan CMA_C1232 - Develop configuration management plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document and implement privacy complaint procedures CMA_0189 - Document and implement privacy complaint procedures Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Manual, Disabled 1.1.0
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Manual, Disabled 1.1.0
Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Manual, Disabled 1.1.0
Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Manual, Disabled 1.1.0
Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Manual, Disabled 1.1.1
Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Manual, Disabled 1.1.0
Manage security state of information systems CMA_C1746 - Manage security state of information systems Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Manual, Disabled 1.1.0
Protect the information security program plan CMA_C1732 - Protect the information security program plan Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Manual, Disabled 1.1.0
Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Manual, Disabled 1.1.0
Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Manual, Disabled 1.1.0
Restrict media use CMA_0450 - Restrict media use Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0
Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Review contingency plan CMA_C1247 - Review contingency plan Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update contingency plan CMA_C1248 - Update contingency plan Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0
Update interconnection security agreements CMA_0519 - Update interconnection security agreements Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0
Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Manual, Disabled 1.1.0
Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Next steps

Additional articles about Azure Policy: