Regulatory compliance standards in Microsoft Defender for Cloud
Microsoft Defender for Cloud streamlines the regulatory compliance process by helping you to identify issues that are preventing you from meeting a particular compliance standard, or achieving compliance certification.
Industry standards, regulatory standards, and benchmarks are represented in Defender for Cloud as security standards, and appear in the Regulatory compliance dashboard.
Compliance controls
Each security standard consists of multiple compliance controls, which are logical groups of related security recommendations.
Defender for Cloud continually assesses the environment-in-scope against any compliance controls that can be automatically assessed. Based on assessments, it shows resources as being compliant or non-compliant with controls.
Note
It's important to note that if standards have compliance controls that can't be automatically assessed, Defender for Cloud isn't able to decide whether a resource complies with the control. In this case, the control will show as greyed out.
Viewing compliance standards
The Regulatory compliance dashboard provides an interactive overview of compliance state.
In the dashboard you can:
- Get a summary of standards controls that have been passed.
- Get of summary of standards that have the lowest pass rate for resources.
- Review standards that are applied within the selected scope.
- Review assessments for compliance controls within each applied standard.
- Get a summary report for a specific standard.
- Manage compliance policies to see the standards assigned to a specific scope.
- Run a query to create a custom compliance report
- Create a "compliance over time workbook" to track compliance status over time.
- Download audit reports.
- Review compliance offerings for Microsoft and third-party audits.
Compliance standard details
For each compliance standard you can view:
- Scope for the standard.
- Each standard broken down into groups of controls and subcontrols.
- When you apply a standard to a scope, you can see a summary of compliance assessment for resources within the scope, for each standard control.
- The status of the assessments reflects compliance with the standard. There are three states:
- A green circle indicates that resources in scope are compliant with the control.
- A red circle indicates that resources are not compliant with the control.
- Unavailable controls are those that can't be automatically assessed and thus Defender for Cloud is unable to access whether resources are compliant.
You can drill down into controls to get information about resources that have passed/failed assessments, and for remediation steps.
Default compliance standards
By default, when you enable Defender for Cloud, the following standards are enabled:
- For Azure: Microsoft Cloud Security Benchmark (MCSB).
- For AWS: Microsoft Cloud Security Benchmark (MCSB) and AWS Foundational Security Best Practices standard.
- For GCP: Microsoft Cloud Security Benchmark (MCSB) and GCP Default.
Available compliance standards
The following standards are available in Defender for Cloud:
| Standards for Azure subscriptions | Standards for AWS accounts | Standards for GCP projects |
|---|---|---|
| Australian Government ISM Protected | AWS Foundational Security Best Practices | Brazilian General Personal Data Protection Law (LGPD) |
| Canada Federal PBMM | AWS Well-Architected Framework | California Consumer Privacy Act (CCPA) |
| CIS Azure Foundations | Brazilian General Personal Data Protection Law (LGPD) | CIS Controls |
| CIS Azure Kubernetes Service (AKS Benchmark) | California Consumer Privacy Act (CCPA) | CIS GCP Foundations |
| CMMC | CIS Amazon Elastic Kubernetes Service (EKS) Benchmark | CIS Google Cloud Platform Foundation Benchmark |
| FedRAMP ‘H’ & ‘M’ | CIS AWS Foundations | CIS Google Kubernetes Engine (GKE) Benchmark |
| HIPAA/HITRUST | CRI Profile | CRI Profile |
| ISO/IEC 27001 | CSA Cloud Controls Matrix (CCM) | CSA Cloud Controls Matrix (CCM) |
| New Zealand ISM Restricted | GDPR | Cybersecurity Maturity Model Certification (CMMC) |
| NIST SP 800-171 | ISO/IEC 27001 | FFIEC Cybersecurity Assessment Tool (CAT) |
| NIST SP 800-53 | ISO/IEC 27002 | GDPR |
| PCI DSS | NIST Cybersecurity Framework (CSF) | ISO/IEC 27001 |
| RMIT Malaysia | NIST SP 800-172 | ISO/IEC 27002 |
| SOC 2 | PCI DSS | ISO/IEC 27017 |
| Spanish ENS | NIST Cybersecurity Framework (CSF) | |
| SWIFT CSP CSCF | NIST SP 800-53 | |
| UK OFFICIAL and UK NHS | NIST SP 800-171 | |
| NIST SP 800-172 | ||
| PCI DSS | ||
| Sarbanes Oxley Act (SOX) | ||
| SOC 2 |