Azure Government compliance

Microsoft Azure Government meets demanding US government compliance requirements that mandate formal assessments and authorizations, including:

• Federal Risk and Authorization Management Program (FedRAMP)
• Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level (IL) 2, 4, and 5

Azure Government maintains the following authorizations that pertain to Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia:

• FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
• DoD IL2 Provisional Authorization (PA) issued by the Defense Information Systems Agency (DISA)
• DoD IL4 PA issued by DISA
• DoD IL5 PA issued by DISA

For links to extra Azure Government compliance assurances, see Azure compliance. For example, Azure Government can help you meet your compliance obligations with many US government requirements, including:

• Criminal Justice Information Services (CJIS)
• Internal Revenue Service (IRS) Publication 1075
• Defense Federal Acquisition Regulation Supplement (DFARS)
• International Traffic in Arms Regulations (ITAR)
• Export Administration Regulations (EAR)
• Federal Information Processing Standard (FIPS) 140
• National Institute of Standards and Technology (NIST) 800-171
• National Defense Authorization Act (NDAA) Section 889 and Section 1634
• North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Electronic Prescriptions for Controlled Substances (EPCS)
• And many more US government, global, and industry standards

For current Azure Government regions and available services, see Products available by region.

Note

• Some Azure services deployed in Azure Government regions (US Gov Arizona, US Gov Texas, and US Gov Virginia) require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
• For DoD IL5 PA compliance scope in Azure Government DoD regions (US DoD Central and US DoD East), see Azure Government DoD regions IL5 audit scope.

Services in audit scope

For a detailed list of Azure, Dynamics 365, Microsoft 365, and Power Platform services in FedRAMP and DoD compliance audit scope, see:

• Azure public services by audit scope
• Azure Government services by audit scope

Audit documentation

For information on how to access Azure and Azure Government audit reports and related documentation, see Azure compliance offerings audit documentation.

Azure Policy regulatory compliance built-in initiatives

For extra customer assistance, Microsoft provides Azure Policy regulatory compliance built-in initiatives, which map to compliance domains and controls in key US government standards, including:

• FedRAMP High
• DoD IL4
• DoD IL5
• And others

For more regulatory compliance built-in initiatives that pertain to Azure Government, see Azure Policy samples.

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Next steps

• Azure compliance
• Azure and other Microsoft services compliance offerings
• Azure Policy overview
• Azure Policy regulatory compliance built-in initiatives
• Azure Government overview
• Azure Government security
• Compare Azure Government and global Azure
• Azure Government services by audit scope
• Azure Government isolation guidelines for Impact Level 5 workloads
• Azure Government DoD overview