Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2. To understand Ownership, review the policy type and Shared responsibility in the cloud.
The following mappings are to the HIPAA HITRUST 9.2 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the HITRUST/HIPAA Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Privilege Management
The organization facilitates information sharing by enabling authorized users to determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions.
ID: 1149.01c2System.9 - 01.c Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.4 |
Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply.
ID: 1154.01c3System.4 - 01.c Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
User Authentication for External Connections
Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use.
ID: 1117.01j1Organizational.23 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization.
ID: 1173.01j1Organizational.6 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
The organization protects wireless access to systems containing sensitive information by authenticating both users and devices.
ID: 1174.01j1Organizational.7 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations.
ID: 1176.01j2Organizational.5 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually.
ID: 1177.01j2Organizational.6 - 01.j Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
User Identification and Authentication
Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated.
ID: 11110.01q1Organizational.6 - 01.q Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else.
ID: 11208.01q1Organizational.8 - 01.q Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.
ID: 11210.01q2Organizational.10 - 01.q Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | auditIfNotExists | 2.0.0 |
Signed electronic records shall contain information associated with the signing in human-readable format.
ID: 11211.01q2Organizational.11 - 01.q Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | auditIfNotExists | 2.0.0 |
01 Information Protection Program
0101.00a1Organizational.123-00.a 0.01 Information Security Management Program
ID: 0101.00a1Organizational.123-00.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0102.00a2Organizational.123-00.a 0.01 Information Security Management Program
ID: 0102.00a2Organizational.123-00.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program
ID: 0103.00a3Organizational.1234567-00.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
0104.02a1Organizational.12-02.a 02.01 Prior to Employment
ID: 0104.02a1Organizational.12-02.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
0105.02a2Organizational.1-02.a 02.01 Prior to Employment
ID: 0105.02a2Organizational.1-02.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign risk designations | CMA_0016 - Assign risk designations | Manual, Disabled | 1.1.0 |
Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Manual, Disabled | 1.1.0 |
Implement personnel screening | CMA_0322 - Implement personnel screening | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Manual, Disabled | 1.1.0 |
0106.02a2Organizational.23-02.a 02.01 Prior to Employment
ID: 0106.02a2Organizational.23-02.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Manual, Disabled | 1.1.0 |
Implement personnel screening | CMA_0322 - Implement personnel screening | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Rescreen individuals at a defined frequency | CMA_C1512 - Rescreen individuals at a defined frequency | Manual, Disabled | 1.1.0 |
0107.02d1Organizational.1-02.d 02.03 During Employment
ID: 0107.02d1Organizational.1-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
0108.02d1Organizational.23-02.d 02.03 During Employment
ID: 0108.02d1Organizational.23-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
Implement security testing, training, and monitoring plans | CMA_C1753 - Implement security testing, training, and monitoring plans | Manual, Disabled | 1.1.0 |
Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Require developers to provide training | CMA_C1611 - Require developers to provide training | Manual, Disabled | 1.1.0 |
Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
Review security testing, training, and monitoring plans | CMA_C1754 - Review security testing, training, and monitoring plans | Manual, Disabled | 1.1.0 |
0109.02d1Organizational.4-02.d 02.03 During Employment
ID: 0109.02d1Organizational.4-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
0110.02d2Organizational.1-02.d 02.03 During Employment
ID: 0110.02d2Organizational.1-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
0111.02d2Organizational.2-02.d 02.03 During Employment
ID: 0111.02d2Organizational.2-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
01110.05a1Organizational.5-05.a 05.01 Internal Organization
ID: 01110.05a1Organizational.5-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
01111.05a2Organizational.5-05.a 05.01 Internal Organization
ID: 01111.05a2Organizational.5-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
0112.02d2Organizational.3-02.d 02.03 During Employment
ID: 0112.02d2Organizational.3-02.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Enforce appropriate usage of all accounts | CMA_C1023 - Enforce appropriate usage of all accounts | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Manual, Disabled | 1.1.0 |
Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
0113.04a1Organizational.123-04.a 04.01 Information Security Policy
ID: 0113.04a1Organizational.123-04.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Protect the information security program plan | CMA_C1732 - Protect the information security program plan | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0114.04b1Organizational.1-04.b 04.01 Information Security Policy
ID: 0114.04b1Organizational.1-04.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0115.04b2Organizational.123-04.b 04.01 Information Security Policy
ID: 0115.04b2Organizational.123-04.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
Review access control policies and procedures | CMA_0457 - Review access control policies and procedures | Manual, Disabled | 1.1.0 |
Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
Review and update identification and authentication policies and procedures | CMA_C1299 - Review and update identification and authentication policies and procedures | Manual, Disabled | 1.1.0 |
Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
Review security assessment and authorization policies and procedures | CMA_C1143 - Review security assessment and authorization policies and procedures | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0116.04b3Organizational.1-04.b 04.01 Information Security Policy
ID: 0116.04b3Organizational.1-04.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
0117.05a1Organizational.1-05.a 05.01 Internal Organization
ID: 0117.05a1Organizational.1-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
0118.05a1Organizational.2-05.a 05.01 Internal Organization
ID: 0118.05a1Organizational.2-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
0119.05a1Organizational.3-05.a 05.01 Internal Organization
ID: 0119.05a1Organizational.3-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
0120.05a1Organizational.4-05.a 05.01 Internal Organization
ID: 0120.05a1Organizational.4-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Align business objectives and IT goals | CMA_0008 - Align business objectives and IT goals | Manual, Disabled | 1.1.0 |
Allocate resources in determining information system requirements | CMA_C1561 - Allocate resources in determining information system requirements | Manual, Disabled | 1.1.0 |
Employ business case to record the resources required | CMA_C1735 - Employ business case to record the resources required | Manual, Disabled | 1.1.0 |
Ensure capital planning and investment requests include necessary resources | CMA_C1734 - Ensure capital planning and investment requests include necessary resources | Manual, Disabled | 1.1.0 |
Establish a discrete line item in budgeting documentation | CMA_C1563 - Establish a discrete line item in budgeting documentation | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
0121.05a2Organizational.12-05.a 05.01 Internal Organization
ID: 0121.05a2Organizational.12-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
Review and update risk assessment policies and procedures | CMA_C1537 - Review and update risk assessment policies and procedures | Manual, Disabled | 1.1.0 |
0122.05a2Organizational.3-05.a 05.01 Internal Organization
ID: 0122.05a2Organizational.3-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
0123.05a2Organizational.4-05.a 05.01 Internal Organization
ID: 0123.05a2Organizational.4-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Manual, Disabled | 1.1.0 |
0124.05a3Organizational.1-05.a 05.01 Internal Organization
ID: 0124.05a3Organizational.1-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
0125.05a3Organizational.2-05.a 05.01 Internal Organization
ID: 0125.05a3Organizational.2-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accept assessment results | CMA_C1150 - Accept assessment results | Manual, Disabled | 1.1.0 |
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
0135.02f1Organizational.56-02.f 02.03 During Employment
ID: 0135.02f1Organizational.56-02.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
0137.02a1Organizational.3-02.a 02.01 Prior to Employment
ID: 0137.02a1Organizational.3-02.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update personnel security policies and procedures | CMA_C1507 - Review and update personnel security policies and procedures | Manual, Disabled | 1.1.0 |
0162.04b1Organizational.2-04.b 04.01 Information Security Policy
ID: 0162.04b1Organizational.2-04.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
0165.05a3Organizational.3-05.a 05.01 Internal Organization
ID: 0165.05a3Organizational.3-05.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update planning policies and procedures | CMA_C1491 - Review and update planning policies and procedures | Manual, Disabled | 1.1.0 |
0177.05h1Organizational.12-05.h 05.01 Internal Organization
ID: 0177.05h1Organizational.12-05.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accept assessment results | CMA_C1150 - Accept assessment results | Manual, Disabled | 1.1.0 |
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
0178.05h1Organizational.3-05.h 05.01 Internal Organization
ID: 0178.05h1Organizational.3-05.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
0179.05h1Organizational.4-05.h 05.01 Internal Organization
ID: 0179.05h1Organizational.4-05.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Implement plans of action and milestones for security program process | CMA_C1737 - Implement plans of action and milestones for security program process | Manual, Disabled | 1.1.0 |
0180.05h2Organizational.1-05.h 05.01 Internal Organization
ID: 0180.05h2Organizational.1-05.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
02 Endpoint Protection
0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0201.09j1Organizational.124-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Deploy default Microsoft IaaSAntimalware extension for Windows Server | This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. | deployIfNotExists | 1.1.0 |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Microsoft Antimalware for Azure should be configured to automatically update protection signatures | This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. | AuditIfNotExists, Disabled | 1.0.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0202.09j1Organizational.3-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
Integrate Audit record analysis | CMA_C1120 - Integrate Audit record analysis | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Specify permitted actions associated with customer audit information | CMA_C1122 - Specify permitted actions associated with customer audit information | Manual, Disabled | 1.1.0 |
0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0204.09j2Organizational.1-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Create alternative actions for identified anomalies | CMA_C1711 - Create alternative actions for identified anomalies | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Notify personnel of any failed security verification tests | CMA_C1710 - Notify personnel of any failed security verification tests | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform security function verification at a defined frequency | CMA_C1709 - Perform security function verification at a defined frequency | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Verify security functions | CMA_C1708 - Verify security functions | Manual, Disabled | 1.1.0 |
0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0205.09j2Organizational.2-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0206.09j2Organizational.34-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0207.09j2Organizational.56-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0208.09j2Organizational.7-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
0209.09m3Organizational.7-09.m 09.06 Network Security Management
ID: 0209.09m3Organizational.7-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Facilitate information sharing | CMA_0284 - Facilitate information sharing | Manual, Disabled | 1.1.0 |
Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Manual, Disabled | 1.1.0 |
Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0214.09j1Organizational.6-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0215.09j2Organizational.8-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0216.09j2Organizational.9-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0217.09j2Organizational.10-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review exploit protection events | CMA_0472 - Review exploit protection events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 0219.09j2Organizational.12-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code
ID: 0225.09k1Organizational.1-09.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code
ID: 0226.09k1Organizational.2-09.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code
ID: 0227.09k2Organizational.12-09.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code
ID: 0228.09k2Organizational.3-09.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
03 Portable Media Security
0301.09o1Organizational.123-09.o 09.07 Media Handling
ID: 0301.09o1Organizational.123-09.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
0302.09o2Organizational.1-09.o 09.07 Media Handling
ID: 0302.09o2Organizational.1-09.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
0303.09o2Organizational.2-09.o 09.07 Media Handling
ID: 0303.09o2Organizational.2-09.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
0304.09o3Organizational.1-09.o 09.07 Media Handling
ID: 0304.09o3Organizational.1-09.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Block untrusted and unsigned processes that run from USB | CMA_0050 - Block untrusted and unsigned processes that run from USB | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Require encryption on Data Lake Store accounts | This policy ensures encryption is enabled on all Data Lake Store accounts | deny | 1.0.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.0 |
SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.1 |
0305.09q1Organizational.12-09.q 09.07 Media Handling
ID: 0305.09q1Organizational.12-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
0306.09q1Organizational.3-09.q 09.07 Media Handling
ID: 0306.09q1Organizational.3-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate information sharing decisions | CMA_0028 - Automate information sharing decisions | Manual, Disabled | 1.1.0 |
Ensure authorized users protect provided authenticators | CMA_C1339 - Ensure authorized users protect provided authenticators | Manual, Disabled | 1.1.0 |
Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
Facilitate information sharing | CMA_0284 - Facilitate information sharing | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
0307.09q2Organizational.12-09.q 09.07 Media Handling
ID: 0307.09q2Organizational.12-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
0308.09q3Organizational.1-09.q 09.07 Media Handling
ID: 0308.09q3Organizational.1-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
0314.09q3Organizational.2-09.q 09.07 Media Handling
ID: 0314.09q3Organizational.2-09.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
04 Mobile Device Security
0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking
ID: 0401.01x1System.124579-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control usage of mobile code technologies | CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies | Manual, Disabled | 1.1.0 |
Define acceptable and unacceptable mobile code technologies | CMA_C1651 - Define acceptable and unacceptable mobile code technologies | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Establish usage restrictions for mobile code technologies | CMA_C1652 - Establish usage restrictions for mobile code technologies | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking
ID: 0403.01x1System.8-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0405.01y1Organizational.12345678-01.y 01.07 Mobile Computing and Teleworking
ID: 0405.01y1Organizational.12345678-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking
ID: 0407.01y2Organizational.1-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking
ID: 0408.01y3Organizational.12-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
0409.01y3Organizational.3-01.y 01.07 Mobile Computing and Teleworking
ID: 0409.01y3Organizational.3-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking
ID: 0410.01x1System.12-01.xMobileComputingandCommunications Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking
ID: 0415.01y1Organizational.10-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking
ID: 0416.01y3Organizational.4-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0417.01y3Organizational.5-01.y 01.07 Mobile Computing and Teleworking
ID: 0417.01y3Organizational.5-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
0425.01x1System.13-01.x 01.07 Mobile Computing and Teleworking
ID: 0425.01x1System.13-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking
ID: 0426.01x2System.1-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking
ID: 0427.01x2System.2-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking
ID: 0428.01x2System.3-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking
ID: 0429.01x1System.14-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Define mobile device requirements | CMA_0122 - Define mobile device requirements | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Identification of Risks Related to External Parties
Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations.
ID: 1401.05i1Organizational.1239 - 05.i Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Remote access connections between the organization and external parties are encrypted.
ID: 1402.05i1Organizational.45 - 05.i Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Access granted to external parties is limited to the minimum necessary and granted only for the duration required.
ID: 1403.05i1Organizational.67 - 05.i Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
The identification of risks related to external party access takes into account a minimal set of specifically defined issues.
ID: 1418.05i1Organizational.8 - 05.i Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
05 Wireless Security
0504.09m2Organizational.5-09.m 09.06 Network Security Management
ID: 0504.09m2Organizational.5-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
0505.09m2Organizational.3-09.m 09.06 Network Security Management
ID: 0505.09m2Organizational.3-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Define requirements for managing assets | CMA_0125 - Define requirements for managing assets | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
06 Configuration Management
0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0601.06g1Organizational.124-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0602.06g1Organizational.3-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0603.06g2Organizational.1-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0604.06g2Organizational.2-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Analyse data obtained from continuous monitoring | CMA_C1169 - Analyse data obtained from continuous monitoring | Manual, Disabled | 1.1.0 |
Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors for continuous monitoring | CMA_C1168 - Employ independent assessors for continuous monitoring | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
0605.10h1System.12-10.h 10.04 Security of System Files
ID: 0605.10h1System.12-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
Review and reevaluate privileges | CMA_C1207 - Review and reevaluate privileges | Manual, Disabled | 1.1.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Windows machines should meet requirements for 'Security Options - Audit' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'System Audit Policies - Account Management' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0613.06h1Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0613.06h1Organizational.12-06.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Perform vulnerability scans | CMA_0393 - Perform vulnerability scans | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0614.06h2Organizational.12-06.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
0615.06h2Organizational.3-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 0615.06h2Organizational.3-06.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
0618.09b1System.1-09.b 09.01 Documented Operating Procedures
ID: 0618.09b1System.1-09.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate approval request for proposed changes | CMA_C1192 - Automate approval request for proposed changes | Manual, Disabled | 1.1.0 |
Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0626.10h1System.3-10.h 10.04 Security of System Files
ID: 0626.10h1System.3-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0627.10h1System.45-10.h 10.04 Security of System Files
ID: 0627.10h1System.45-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Ensure security safeguards not needed when the individuals return | CMA_C1183 - Ensure security safeguards not needed when the individuals return | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Not allow for information systems to accompany with individuals | CMA_C1182 - Not allow for information systems to accompany with individuals | Manual, Disabled | 1.1.0 |
Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0628.10h1System.6-10.h 10.04 Security of System Files
ID: 0628.10h1System.6-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes
ID: 0635.10k1Organizational.12-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes
ID: 0636.10k2Organizational.1-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Review and update configuration management policies and procedures | CMA_C1175 - Review and update configuration management policies and procedures | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes
ID: 0637.10k2Organizational.2-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes
ID: 0638.10k2Organizational.34569-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
Automate process to document implemented changes | CMA_C1195 - Automate process to document implemented changes | Manual, Disabled | 1.1.0 |
Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes
ID: 0639.10k2Organizational.78-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes
ID: 0640.10k2Organizational.1012-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes
ID: 0641.10k2Organizational.11-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes
ID: 0642.10k3Organizational.12-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes
ID: 0643.10k3Organizational.3-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Retain previous versions of baseline configs | CMA_C1181 - Retain previous versions of baseline configs | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes
ID: 0644.10k3Organizational.4-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information
ID: 0662.09sCSPOrganizational.2-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
0663.10h1System.7-10.h 10.04 Security of System Files
ID: 0663.10h1System.7-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0669.10hCSPSystem.1-10.h 10.04 Security of System Files
ID: 0669.10hCSPSystem.1-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
0670.10hCSPSystem.2-10.h 10.04 Security of System Files
ID: 0670.10hCSPSystem.2-10.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
0671.10k1System.1-10.k 10.05 Security In Development and Support Processes
ID: 0671.10k1System.1-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Automate implementation of approved change notifications | CMA_C1196 - Automate implementation of approved change notifications | Manual, Disabled | 1.1.0 |
Automate process to highlight unreviewed change proposals | CMA_C1193 - Automate process to highlight unreviewed change proposals | Manual, Disabled | 1.1.0 |
Automate process to prohibit implementation of unapproved changes | CMA_C1194 - Automate process to prohibit implementation of unapproved changes | Manual, Disabled | 1.1.0 |
Automate proposed documented changes | CMA_C1191 - Automate proposed documented changes | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Remediate information system flaws | CMA_0427 - Remediate information system flaws | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
0672.10k3System.5-10.k 10.05 Security In Development and Support Processes
ID: 0672.10k3System.5-10.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Prohibit binary/machine-executable code | CMA_C1717 - Prohibit binary/machine-executable code | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 068.06g2Organizational.34-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors for continuous monitoring | CMA_C1168 - Employ independent assessors for continuous monitoring | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID: 069.06g2Organizational.56-06.g Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
07 Vulnerability Management
0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets
ID: 0701.07a1Organizational.12-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
0702.07a1Organizational.3-07.a 07.01 Responsibility for Assets
ID: 0702.07a1Organizational.3-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets
ID: 0703.07a2Organizational.1-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets
ID: 0704.07a3Organizational.12-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets
ID: 0705.07a3Organizational.3-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
0706.10b1System.12-10.b 10.02 Correct Processing in Applications
ID: 0706.10b1System.12-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
0708.10b2System.2-10.b 10.02 Correct Processing in Applications
ID: 0708.10b2System.2-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management
ID: 0709.10m1Organizational.1-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management
ID: 0710.10m2Organizational.1-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management
ID: 0711.10m2Organizational.23-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management
ID: 0712.10m2Organizational.4-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management
ID: 0713.10m2Organizational.5-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate flaw remediation | CMA_0027 - Automate flaw remediation | Manual, Disabled | 1.1.0 |
Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Manual, Disabled | 1.1.0 |
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Manual, Disabled | 1.1.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management
ID: 0714.10m2Organizational.7-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Implement privileged access for executing vulnerability scanning activities | CMA_C1555 - Implement privileged access for executing vulnerability scanning activities | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform a trend analysis on threats | CMA_0389 - Perform a trend analysis on threats | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review exploit protection events | CMA_0472 - Review exploit protection events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management
ID: 0716.10m3Organizational.1-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management
ID: 0717.10m3Organizational.2-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management
ID: 0718.10m3Organizational.34-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate flaw remediation | CMA_0027 - Automate flaw remediation | Manual, Disabled | 1.1.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management
ID: 0719.10m3Organizational.5-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets
ID: 0720.07a1Organizational.4-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
0722.07a1Organizational.67-07.a 07.01 Responsibility for Assets
ID: 0722.07a1Organizational.67-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Require compliance with intellectual property rights | CMA_0432 - Require compliance with intellectual property rights | Manual, Disabled | 1.1.0 |
Restrict use of open source software | CMA_C1237 - Restrict use of open source software | Manual, Disabled | 1.1.0 |
Track software license usage | CMA_C1235 - Track software license usage | Manual, Disabled | 1.1.0 |
0723.07a1Organizational.8-07.a 07.01 Responsibility for Assets
ID: 0723.07a1Organizational.8-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets
ID: 0724.07a3Organizational.4-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets
ID: 0725.07a3Organizational.5-07.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
0733.10b2System.4-10.b 10.02 Correct Processing in Applications
ID: 0733.10b2System.4-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
0786.10m2Organizational.13-10.m 10.06 Technical Vulnerability Management
ID: 0786.10m2Organizational.13-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management
ID: 0787.10m2Organizational.14-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate flaw remediation | CMA_0027 - Automate flaw remediation | Manual, Disabled | 1.1.0 |
Establish benchmarks for flaw remediation | CMA_C1675 - Establish benchmarks for flaw remediation | Manual, Disabled | 1.1.0 |
Incorporate flaw remediation into configuration management | CMA_C1671 - Incorporate flaw remediation into configuration management | Manual, Disabled | 1.1.0 |
Measure the time between flaw identification and flaw remediation | CMA_C1674 - Measure the time between flaw identification and flaw remediation | Manual, Disabled | 1.1.0 |
0788.10m3Organizational.20-10.m 10.06 Technical Vulnerability Management
ID: 0788.10m3Organizational.20-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ independent team for penetration testing | CMA_C1171 - Employ independent team for penetration testing | Manual, Disabled | 1.1.0 |
0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management
ID: 0790.10m3Organizational.22-10.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Observe and report security weaknesses | CMA_0384 - Observe and report security weaknesses | Manual, Disabled | 1.1.0 |
Perform threat modeling | CMA_0392 - Perform threat modeling | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review exploit protection events | CMA_0472 - Review exploit protection events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications
ID: 0791.10b2Organizational.4-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
08 Network Protection
0805.01m1Organizational.12-01.m 01.04 Network Access Control
ID: 0805.01m1Organizational.12-01.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0806.01m2Organizational.12356-01.m 01.04 Network Access Control
ID: 0806.01m2Organizational.12356-01.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Manual, Disabled | 1.1.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0808.10b2System.3-10.b 10.02 Correct Processing in Applications
ID: 0808.10b2System.3-10.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control
ID: 0809.01n2Organizational.1234-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Manage gateways | CMA_0363 - Manage gateways | Manual, Disabled | 1.1.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0810.01n2Organizational.5-01.n 01.04 Network Access Control
ID: 0810.01n2Organizational.5-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
08101.09m2Organizational.14-09.m 09.06 Network Security Management
ID: 08101.09m2Organizational.14-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management
ID: 08102.09nCSPOrganizational.1-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0811.01n2Organizational.6-01.n 01.04 Network Access Control
ID: 0811.01n2Organizational.6-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Determine information protection needs | CMA_C1750 - Determine information protection needs | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0812.01n2Organizational.8-01.n 01.04 Network Access Control
ID: 0812.01n2Organizational.8-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Prevent split tunneling for remote devices | CMA_C1632 - Prevent split tunneling for remote devices | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0814.01n1Organizational.12-01.n 01.04 Network Access Control
ID: 0814.01n1Organizational.12-01.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
0815.01o2Organizational.123-01.o 01.04 Network Access Control
ID: 0815.01o2Organizational.123-01.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0816.01w1System.1-01.w 01.06 Application and Information Access Control
ID: 0816.01w1System.1-01.w Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Distribute information system documentation | CMA_C1584 - Distribute information system documentation | Manual, Disabled | 1.1.0 |
Document customer-defined actions | CMA_C1582 - Document customer-defined actions | Manual, Disabled | 1.1.0 |
Obtain Admin documentation | CMA_C1580 - Obtain Admin documentation | Manual, Disabled | 1.1.0 |
Obtain user security function documentation | CMA_C1581 - Obtain user security function documentation | Manual, Disabled | 1.1.0 |
Protect administrator and user documentation | CMA_C1583 - Protect administrator and user documentation | Manual, Disabled | 1.1.0 |
0817.01w2System.123-01.w 01.06 Application and Information Access Control
ID: 0817.01w2System.123-01.w Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
Ensure system capable of dynamic isolation of resources | CMA_C1638 - Ensure system capable of dynamic isolation of resources | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Isolate SecurID systems, Security Incident Management systems | CMA_C1636 - Isolate SecurID systems, Security Incident Management systems | Manual, Disabled | 1.1.0 |
Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Manual, Disabled | 1.1.0 |
Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
0818.01w3System.12-01.w 01.06 Application and Information Access Control
ID: 0818.01w3System.12-01.w Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Govern the allocation of resources | CMA_0293 - Govern the allocation of resources | Manual, Disabled | 1.1.0 |
Maintain separate execution domains for running processes | CMA_C1665 - Maintain separate execution domains for running processes | Manual, Disabled | 1.1.0 |
Manage availability and capacity | CMA_0356 - Manage availability and capacity | Manual, Disabled | 1.1.0 |
Secure commitment from leadership | CMA_0489 - Secure commitment from leadership | Manual, Disabled | 1.1.0 |
0819.09m1Organizational.23-09.m 09.06 Network Security Management
ID: 0819.09m1Organizational.23-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
0821.09m2Organizational.2-09.m 09.06 Network Security Management
ID: 0821.09m2Organizational.2-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Manual, Disabled | 1.1.0 |
0822.09m2Organizational.4-09.m 09.06 Network Security Management
ID: 0822.09m2Organizational.4-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0824.09m3Organizational.1-09.m 09.06 Network Security Management
ID: 0824.09m3Organizational.1-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
0825.09m3Organizational.23-09.m 09.06 Network Security Management
ID: 0825.09m3Organizational.23-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Manual, Disabled | 1.1.0 |
Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0826.09m3Organizational.45-09.m 09.06 Network Security Management
ID: 0826.09m3Organizational.45-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0828.09m3Organizational.8-09.m 09.06 Network Security Management
ID: 0828.09m3Organizational.8-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review changes for any unauthorized changes | CMA_C1204 - Review changes for any unauthorized changes | Manual, Disabled | 1.1.0 |
0829.09m3Organizational.911-09.m 09.06 Network Security Management
ID: 0829.09m3Organizational.911-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
0830.09m3Organizational.1012-09.m 09.06 Network Security Management
ID: 0830.09m3Organizational.1012-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Implement system boundary protection | CMA_0328 - Implement system boundary protection | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
0832.09m3Organizational.14-09.m 09.06 Network Security Management
ID: 0832.09m3Organizational.14-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0835.09n1Organizational.1-09.n 09.06 Network Security Management
ID: 0835.09n1Organizational.1-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Configure detection whitelist | CMA_0068 - Configure detection whitelist | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
0836.09.n2Organizational.1-09.n 09.06 Network Security Management
ID: 0836.09.n2Organizational.1-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0837.09.n2Organizational.2-09.n 09.06 Network Security Management
ID: 0837.09.n2Organizational.2-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0850.01o1Organizational.12-01.o 01.04 Network Access Control
ID: 0850.01o1Organizational.12-01.o Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
0858.09m1Organizational.4-09.m 09.06 Network Security Management
ID: 0858.09m1Organizational.4-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'Windows Firewall Properties' | Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0859.09m1Organizational.78-09.m 09.06 Network Security Management
ID: 0859.09m1Organizational.78-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
0860.09m1Organizational.9-09.m 09.06 Network Security Management
ID: 0860.09m1Organizational.9-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | deployIfNotExists | 2.0.1 |
Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
0861.09m2Organizational.67-09.m 09.06 Network Security Management
ID: 0861.09m2Organizational.67-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Document and implement wireless access guidelines | CMA_0190 - Document and implement wireless access guidelines | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Protect wireless access | CMA_0411 - Protect wireless access | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'Security Options - Network Access' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
0862.09m2Organizational.8-09.m 09.06 Network Security Management
ID: 0862.09m2Organizational.8-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
0863.09m2Organizational.910-09.m 09.06 Network Security Management
ID: 0863.09m2Organizational.910-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
0864.09m2Organizational.12-09.m 09.06 Network Security Management
ID: 0864.09m2Organizational.12-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Establish voip usage restrictions | CMA_0280 - Establish voip usage restrictions | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0865.09m2Organizational.13-09.m 09.06 Network Security Management
ID: 0865.09m2Organizational.13-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Check for privacy and security compliance before establishing internal connections | CMA_0053 - Check for privacy and security compliance before establishing internal connections | Manual, Disabled | 1.1.0 |
Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Manual, Disabled | 1.1.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0866.09m3Organizational.1516-09.m 09.06 Network Security Management
ID: 0866.09m3Organizational.1516-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
0868.09m3Organizational.18-09.m 09.06 Network Security Management
ID: 0868.09m3Organizational.18-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0869.09m3Organizational.19-09.m 09.06 Network Security Management
ID: 0869.09m3Organizational.19-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Create configuration plan protection | CMA_C1233 - Create configuration plan protection | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop configuration item identification plan | CMA_C1231 - Develop configuration item identification plan | Manual, Disabled | 1.1.0 |
Develop configuration management plan | CMA_C1232 - Develop configuration management plan | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
0870.09m3Organizational.20-09.m 09.06 Network Security Management
ID: 0870.09m3Organizational.20-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Implement managed interface for each external service | CMA_C1626 - Implement managed interface for each external service | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
0871.09m3Organizational.22-09.m 09.06 Network Security Management
ID: 0871.09m3Organizational.22-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
0885.09n2Organizational.3-09.n 09.06 Network Security Management
ID: 0885.09n2Organizational.3-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
0886.09n2Organizational.4-09.n 09.06 Network Security Management
ID: 0886.09n2Organizational.4-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ restrictions on external system interconnections | CMA_C1155 - Employ restrictions on external system interconnections | Manual, Disabled | 1.1.0 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
0887.09n2Organizational.5-09.n 09.06 Network Security Management
ID: 0887.09n2Organizational.5-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0888.09n2Organizational.6-09.n 09.06 Network Security Management
ID: 0888.09n2Organizational.6-09.n Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
0894.01m2Organizational.7-01.m 01.04 Network Access Control
ID: 0894.01m2Organizational.7-01.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Container Registry should use a virtual network service endpoint | This policy audits any Container Registry not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0-preview |
App Service apps should use a virtual network service endpoint | Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. | AuditIfNotExists, Disabled | 2.0.1 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Cosmos DB should use a virtual network service endpoint | This policy audits any Cosmos DB not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Deploy network watcher when virtual networks are created | This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. | DeployIfNotExists | 1.0.0 |
Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Event Hub should use a virtual network service endpoint | This policy audits any Event Hub not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Gateway subnets should not be configured with a network security group | This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. | deny | 1.0.0 |
Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
Key Vault should use a virtual network service endpoint | This policy audits any Key Vault not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Route traffic through authenticated proxy network | CMA_C1633 - Route traffic through authenticated proxy network | Manual, Disabled | 1.1.0 |
SQL Server should use a virtual network service endpoint | This policy audits any SQL Server not configured to use a virtual network service endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Virtual machines should be connected to an approved virtual network | This policy audits any virtual machine connected to a virtual network that is not approved. | Audit, Deny, Disabled | 1.0.0 |
Back-up
Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices.
ID: 1699.09l1Organizational.10 - 09.l Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
Network Controls
Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends).
ID: 0867.09m3Organizational.17 - 09.m Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Storage Accounts should use a virtual network service endpoint | This policy audits any Storage Account not configured to use a virtual network service endpoint. | Audit, Disabled | 1.0.0 |
On-line Transactions
The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction.
ID: 0946.09y2Organizational.14 - 09.y Ownership: Customer
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
09 Transmission Protection
0901.09s1Organizational.1-09.s 09.08 Exchange of Information
ID: 0901.09s1Organizational.1-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
Configure actions for noncompliant devices | CMA_0062 - Configure actions for noncompliant devices | Manual, Disabled | 1.1.0 |
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop and maintain baseline configurations | CMA_0153 - Develop and maintain baseline configurations | Manual, Disabled | 1.1.0 |
Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Manual, Disabled | 1.1.0 |
Establish a configuration control board | CMA_0254 - Establish a configuration control board | Manual, Disabled | 1.1.0 |
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Establish and document a configuration management plan | CMA_0264 - Establish and document a configuration management plan | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
Implement an automated configuration management tool | CMA_0311 - Implement an automated configuration management tool | Manual, Disabled | 1.1.0 |
Implement controls to secure all media | CMA_0314 - Implement controls to secure all media | Manual, Disabled | 1.1.0 |
Perform information input validation | CMA_C1723 - Perform information input validation | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Review malware detections report weekly | CMA_0475 - Review malware detections report weekly | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update antivirus definitions | CMA_0517 - Update antivirus definitions | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
0902.09s2Organizational.13-09.s 09.08 Exchange of Information
ID: 0902.09s2Organizational.13-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Authorize remote access to privileged commands | CMA_C1064 - Authorize remote access to privileged commands | Manual, Disabled | 1.1.0 |
Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Protect data in transit using encryption | CMA_0403 - Protect data in transit using encryption | Manual, Disabled | 1.1.0 |
Provide capability to disconnect or disable remote access | CMA_C1066 - Provide capability to disconnect or disable remote access | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls
ID: 0903.10f1Organizational.1-10.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls
ID: 0904.10f2Organizational.1-10.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Define organizational requirements for cryptographic key management | CMA_0123 - Define organizational requirements for cryptographic key management | Manual, Disabled | 1.1.0 |
Determine assertion requirements | CMA_0136 - Determine assertion requirements | Manual, Disabled | 1.1.0 |
Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
Manage symmetric cryptographic keys | CMA_0367 - Manage symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Restrict access to private keys | CMA_0445 - Restrict access to private keys | Manual, Disabled | 1.1.0 |
0912.09s1Organizational.4-09.s 09.08 Exchange of Information
ID: 0912.09s1Organizational.4-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
0913.09s1Organizational.5-09.s 09.08 Exchange of Information
ID: 0913.09s1Organizational.5-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
0914.09s1Organizational.6-09.s 09.08 Exchange of Information
ID: 0914.09s1Organizational.6-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
Review and update system and communications protection policies and procedures | CMA_C1616 - Review and update system and communications protection policies and procedures | Manual, Disabled | 1.1.0 |
0915.09s2Organizational.2-09.s 09.08 Exchange of Information
ID: 0915.09s2Organizational.2-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
0916.09s2Organizational.4-09.s 09.08 Exchange of Information
ID: 0916.09s2Organizational.4-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Explicitly notify use of collaborative computing devices | CMA_C1649 - Explicitly notify use of collaborative computing devices | Manual, Disabled | 1.1.1 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Prohibit remote activation of collaborative computing devices | CMA_C1648 - Prohibit remote activation of collaborative computing devices | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
0926.09v1Organizational.2-09.v 09.08 Exchange of Information
ID: 0926.09v1Organizational.2-09.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
0927.09v1Organizational.3-09.v 09.08 Exchange of Information
ID: 0927.09v1Organizational.3-09.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
0928.09v1Organizational.45-09.v 09.08 Exchange of Information
ID: 0928.09v1Organizational.45-09.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
0929.09v1Organizational.6-09.v 09.08 Exchange of Information
ID: 0929.09v1Organizational.6-09.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Implement a fault tolerant name/address service | CMA_0305 - Implement a fault tolerant name/address service | Manual, Disabled | 1.1.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Provide secure name and address resolution services | CMA_0416 - Provide secure name and address resolution services | Manual, Disabled | 1.1.0 |
0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services
ID: 0943.09y1Organizational.1-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Document process to ensure integrity of PII | CMA_C1827 - Document process to ensure integrity of PII | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services
ID: 0944.09y1Organizational.2-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services
ID: 0945.09y1Organizational.3-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines that do not contain the specified certificates in Trusted Root | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. | auditIfNotExists | 3.0.0 |
Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Produce, control and distribute asymmetric cryptographic keys | CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services
ID: 0947.09y2Organizational.2-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Restrict location of information processing, storage and services | CMA_C1593 - Restrict location of information processing, storage and services | Manual, Disabled | 1.1.0 |
Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services
ID: 0948.09y2Organizational.3-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Distribute authenticators | CMA_0184 - Distribute authenticators | Manual, Disabled | 1.1.0 |
Enforce random unique session identifiers | CMA_0247 - Enforce random unique session identifiers | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Issue public key certificates | CMA_0347 - Issue public key certificates | Manual, Disabled | 1.1.0 |
Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Manual, Disabled | 1.1.0 |
0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services
ID: 0949.09y2Organizational.5-09.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Manual, Disabled | 1.1.0 |
0960.09sCSPOrganizational.1-09.s 09.08 Exchange of Information
ID: 0960.09sCSPOrganizational.1-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
099.09m2Organizational.11-09.m 09.06 Network Security Management
ID: 099.09m2Organizational.11-09.m Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure workstations to check for digital certificates | CMA_0073 - Configure workstations to check for digital certificates | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
10 Password Management
1002.01d1System.1-01.d 01.02 Authorized Access to Information Systems
ID: 1002.01d1System.1-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
1003.01d1System.3-01.d 01.02 Authorized Access to Information Systems
ID: 1003.01d1System.3-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems
ID: 1004.01d1System.8913-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Protect passwords with encryption | CMA_0408 - Protect passwords with encryption | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems
ID: 1005.01d1System.1011-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authenticate to cryptographic module | CMA_0021 - Authenticate to cryptographic module | Manual, Disabled | 1.1.0 |
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Produce, control and distribute symmetric cryptographic keys | CMA_C1645 - Produce, control and distribute symmetric cryptographic keys | Manual, Disabled | 1.1.0 |
1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems
ID: 1006.01d2System.1-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Ensure there are no unencrypted static authenticators | CMA_C1340 - Ensure there are no unencrypted static authenticators | Manual, Disabled | 1.1.0 |
Generate error messages | CMA_C1724 - Generate error messages | Manual, Disabled | 1.1.0 |
Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
Obscure feedback information during authentication process | CMA_C1344 - Obscure feedback information during authentication process | Manual, Disabled | 1.1.0 |
1007.01d2System.2-01.d 01.02 Authorized Access to Information Systems
ID: 1007.01d2System.2-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems
ID: 1008.01d2System.3-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document organizational access agreements | CMA_0192 - Document organizational access agreements | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
Require users to sign access agreement | CMA_0440 - Require users to sign access agreement | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update organizational access agreements | CMA_0520 - Update organizational access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems
ID: 1009.01d2System.4-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems
ID: 1014.01d1System.12-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
Manage authenticator lifetime and reuse | CMA_0355 - Manage authenticator lifetime and reuse | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems
ID: 1015.01d1System.14-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems
ID: 1022.01d1System.15-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems
ID: 1031.01d1System.34510-01.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Refresh authenticators | CMA_0425 - Refresh authenticators | Manual, Disabled | 1.1.0 |
11 Access Control
1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems
ID: 1106.01b1System.1-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems
ID: 1107.01b1System.2-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1108.01b1System.3-01.b 01.02 Authorized Access to Information Systems
ID: 1108.01b1System.3-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems
ID: 1109.01b1System.479-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems
ID: 1110.01b1System.5-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
11109.01q1Organizational.57-01.q 01.05 Operating System Access Control
ID: 11109.01q1Organizational.57-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Assign system identifiers | CMA_0018 - Assign system identifiers | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify status of individual users | CMA_C1316 - Identify status of individual users | Manual, Disabled | 1.1.0 |
Prevent identifier reuse for the defined time period | CMA_C1314 - Prevent identifier reuse for the defined time period | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
1111.01b2System.1-01.b 01.02 Authorized Access to Information Systems
ID: 1111.01b2System.1-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
11111.01q2System.4-01.q 01.05 Operating System Access Control
ID: 11111.01q2System.4-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
Establish procedures for initial authenticator distribution | CMA_0276 - Establish procedures for initial authenticator distribution | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
11112.01q2Organizational.67-01.q 01.05 Operating System Access Control
ID: 11112.01q2Organizational.67-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Manual, Disabled | 1.1.0 |
1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems
ID: 1112.01b2System.2-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign an authorizing official (AO) | CMA_C1158 - Assign an authorizing official (AO) | Manual, Disabled | 1.1.0 |
Distribute authenticators | CMA_0184 - Distribute authenticators | Manual, Disabled | 1.1.0 |
Ensure resources are authorized | CMA_C1159 - Ensure resources are authorized | Manual, Disabled | 1.1.0 |
Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
Satisfy token quality requirements | CMA_0487 - Satisfy token quality requirements | Manual, Disabled | 1.1.0 |
Update the security authorization | CMA_C1160 - Update the security authorization | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
11126.01t1Organizational.12-01.t 01.05 Operating System Access Control
ID: 11126.01t1Organizational.12-01.t Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Reauthenticate or terminate a user session | CMA_0421 - Reauthenticate or terminate a user session | Manual, Disabled | 1.1.0 |
1114.01h1Organizational.123-01.h 01.03 User Responsibilities
ID: 1114.01h1Organizational.123-01.h Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and enforce the limit of concurrent sessions | CMA_C1050 - Define and enforce the limit of concurrent sessions | Manual, Disabled | 1.1.0 |
Terminate user session automatically | CMA_C1054 - Terminate user session automatically | Manual, Disabled | 1.1.0 |
11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment
ID: 11154.02i1Organizational.5-02.i Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment
ID: 11155.02i2Organizational.2-02.i Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
1116.01j1Organizational.145-01.j 01.04 Network Access Control
ID: 1116.01j1Organizational.145-01.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Establish a password policy | CMA_0256 - Establish a password policy | Manual, Disabled | 1.1.0 |
Establish authenticator types and processes | CMA_0267 - Establish authenticator types and processes | Manual, Disabled | 1.1.0 |
Implement parameters for memorized secret verifiers | CMA_0321 - Implement parameters for memorized secret verifiers | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1118.01j2Organizational.124-01.j 01.04 Network Access Control
ID: 1118.01j2Organizational.124-01.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems
ID: 11180.01c3System.6-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
1119.01j2Organizational.3-01.j 01.04 Network Access Control
ID: 1119.01j2Organizational.3-01.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Secure the interface to external systems | CMA_0491 - Secure the interface to external systems | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
11190.01t1Organizational.3-01.t 01.05 Operating System Access Control
ID: 11190.01t1Organizational.3-01.t Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
1120.09ab3System.9-09.ab 09.10 Monitoring
ID: 1120.09ab3System.9-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | AuditIfNotExists, Disabled | 2.0.0 |
1121.01j3Organizational.2-01.j 01.04 Network Access Control
ID: 1121.01j3Organizational.2-01.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems
ID: 11219.01b1Organizational.10-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1122.01q1System.1-01.q 01.05 Operating System Access Control
ID: 1122.01q1System.1-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accept only FICAM-approved third-party credentials | CMA_C1348 - Accept only FICAM-approved third-party credentials | Manual, Disabled | 1.1.0 |
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Conform to FICAM-issued profiles | CMA_C1350 - Conform to FICAM-issued profiles | Manual, Disabled | 1.1.0 |
Employ FICAM-approved resources to accept third-party credentials | CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems
ID: 11220.01b1System.10-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
Manage Authenticators | CMA_C1321 - Manage Authenticators | Manual, Disabled | 1.1.0 |
Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
1123.01q1System.2-01.q 01.05 Operating System Access Control
ID: 1123.01q1System.2-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines that have extra accounts in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. | auditIfNotExists | 2.0.0 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
1124.01q1System.34-01.q 01.05 Operating System Access Control
ID: 1124.01q1System.34-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
1125.01q2System.1-01.q 01.05 Operating System Access Control
ID: 1125.01q2System.1-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | auditIfNotExists | 2.0.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
1127.01q2System.3-01.q 01.05 Operating System Access Control
ID: 1127.01q2System.3-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | auditIfNotExists | 2.0.0 |
Distribute authenticators | CMA_0184 - Distribute authenticators | Manual, Disabled | 1.1.0 |
1128.01q2System.5-01.q 01.05 Operating System Access Control
ID: 1128.01q2System.5-01.q Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
1129.01v1System.12-01.v 01.06 Application and Information Access Control
ID: 1129.01v1System.12-01.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
1130.01v2System.1-01.v 01.06 Application and Information Access Control
ID: 1130.01v2System.1-01.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign account managers | CMA_0015 - Assign account managers | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
1131.01v2System.2-01.v 01.06 Application and Information Access Control
ID: 1131.01v2System.2-01.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
1132.01v2System.3-01.v 01.06 Application and Information Access Control
ID: 1132.01v2System.3-01.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
1133.01v2System.4-01.v 01.06 Application and Information Access Control
ID: 1133.01v2System.4-01.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Identify actions allowed without authentication | CMA_0295 - Identify actions allowed without authentication | Manual, Disabled | 1.1.0 |
1134.01v3System.1-01.v 01.06 Application and Information Access Control
ID: 1134.01v3System.1-01.v Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Limit privileges to make changes in production environment | CMA_C1206 - Limit privileges to make changes in production environment | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment
ID: 1135.02i1Organizational.1234-02.i Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment
ID: 1136.02i2Organizational.1-02.i Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct exit interview upon termination | CMA_0058 - Conduct exit interview upon termination | Manual, Disabled | 1.1.0 |
Disable authenticators upon termination | CMA_0169 - Disable authenticators upon termination | Manual, Disabled | 1.1.0 |
Disable user accounts posing a significant risk | CMA_C1026 - Disable user accounts posing a significant risk | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Protect against and prevent data theft from departing employees | CMA_0398 - Protect against and prevent data theft from departing employees | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements
ID: 1137.06e1Organizational.1-06.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems
ID: 1139.01b1System.68-01.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and enforce conditions for shared and group accounts | CMA_0117 - Define and enforce conditions for shared and group accounts | Manual, Disabled | 1.1.0 |
Define information system account types | CMA_0121 - Define information system account types | Manual, Disabled | 1.1.0 |
Document access privileges | CMA_0186 - Document access privileges | Manual, Disabled | 1.1.0 |
Establish conditions for role membership | CMA_0269 - Establish conditions for role membership | Manual, Disabled | 1.1.0 |
Reissue authenticators for changed groups and accounts | CMA_0426 - Reissue authenticators for changed groups and accounts | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems
ID: 1143.01c1System.123-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems
ID: 1144.01c1System.4-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems
ID: 1145.01c2System.1-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems
ID: 1146.01c2System.23-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Manual, Disabled | 1.1.0 |
Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems
ID: 1147.01c2System.456-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems
ID: 1148.01c2System.78-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'Security Options - Accounts' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems
ID: 1150.01c2System.10-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control information flow | CMA_0079 - Control information flow | Manual, Disabled | 1.1.0 |
Employ flow control mechanisms of encrypted information | CMA_0211 - Employ flow control mechanisms of encrypted information | Manual, Disabled | 1.1.0 |
Establish firewall and router configuration standards | CMA_0272 - Establish firewall and router configuration standards | Manual, Disabled | 1.1.0 |
Establish network segmentation for card holder data environment | CMA_0273 - Establish network segmentation for card holder data environment | Manual, Disabled | 1.1.0 |
Identify and manage downstream information exchanges | CMA_0298 - Identify and manage downstream information exchanges | Manual, Disabled | 1.1.0 |
Information flow control using security policy filters | CMA_C1029 - Information flow control using security policy filters | Manual, Disabled | 1.1.0 |
Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems
ID: 1151.01c3System.1-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems
ID: 1152.01c3System.2-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
1153.01c3System.35-01.c 01.02 Authorized Access to Information Systems
ID: 1153.01c3System.35-01.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.4 |
1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems
ID: 1166.01e1System.12-01.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Initiate transfer or reassignment actions | CMA_0333 - Initiate transfer or reassignment actions | Manual, Disabled | 1.1.0 |
Modify access authorizations upon personnel transfer | CMA_0374 - Modify access authorizations upon personnel transfer | Manual, Disabled | 1.1.0 |
Notify Account Managers of customer controlled accounts | CMA_C1009 - Notify Account Managers of customer controlled accounts | Manual, Disabled | 1.1.0 |
Notify upon termination or transfer | CMA_0381 - Notify upon termination or transfer | Manual, Disabled | 1.1.0 |
Reevaluate access upon personnel transfer | CMA_0424 - Reevaluate access upon personnel transfer | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
1167.01e2System.1-01.e 01.02 Authorized Access to Information Systems
ID: 1167.01e2System.1-01.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assign system identifiers | CMA_0018 - Assign system identifiers | Manual, Disabled | 1.1.0 |
Identify status of individual users | CMA_C1316 - Identify status of individual users | Manual, Disabled | 1.1.0 |
1168.01e2System.2-01.e 01.02 Authorized Access to Information Systems
ID: 1168.01e2System.2-01.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
1175.01j1Organizational.8-01.j 01.04 Network Access Control
ID: 1175.01j1Organizational.8-01.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adopt biometric authentication mechanisms | CMA_0005 - Adopt biometric authentication mechanisms | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify and authenticate network devices | CMA_0296 - Identify and authenticate network devices | Manual, Disabled | 1.1.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
1178.01j2Organizational.7-01.j 01.04 Network Access Control
ID: 1178.01j2Organizational.7-01.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Require use of individual authenticators | CMA_C1305 - Require use of individual authenticators | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
1179.01j3Organizational.1-01.j 01.04 Network Access Control
ID: 1179.01j3Organizational.1-01.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Document mobility training | CMA_0191 - Document mobility training | Manual, Disabled | 1.1.0 |
Document remote access guidelines | CMA_0196 - Document remote access guidelines | Manual, Disabled | 1.1.0 |
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
1192.01l1Organizational.1-01.l 01.04 Network Access Control
ID: 1192.01l1Organizational.1-01.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
1193.01l2Organizational.13-01.l 01.04 Network Access Control
ID: 1193.01l2Organizational.13-01.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
1194.01l2Organizational.2-01.l 01.04 Network Access Control
ID: 1194.01l2Organizational.2-01.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
1195.01l3Organizational.1-01.l 01.04 Network Access Control
ID: 1195.01l3Organizational.1-01.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
12 Audit Logging & Monitoring
1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements
ID: 1201.06e1Organizational.2-06.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1202.09aa1System.1-09.aa 09.10 Monitoring
ID: 1202.09aa1System.1-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Manual, Disabled | 1.1.0 |
1203.09aa1System.2-09.aa 09.10 Monitoring
ID: 1203.09aa1System.2-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
1204.09aa1System.3-09.aa 09.10 Monitoring
ID: 1204.09aa1System.3-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Monitor account activity | CMA_0377 - Monitor account activity | Manual, Disabled | 1.1.0 |
Resource logs in IoT Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 3.1.0 |
1205.09aa2System.1-09.aa 09.10 Monitoring
ID: 1205.09aa2System.1-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Ensure audit records are not altered | CMA_C1125 - Ensure audit records are not altered | Manual, Disabled | 1.1.0 |
Provide audit review, analysis, and reporting capability | CMA_C1124 - Provide audit review, analysis, and reporting capability | Manual, Disabled | 1.1.0 |
Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Manual, Disabled | 1.1.0 |
Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
1206.09aa2System.23-09.aa 09.10 Monitoring
ID: 1206.09aa2System.23-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Employ automatic shutdown/restart when violations are detected | CMA_C1715 - Employ automatic shutdown/restart when violations are detected | Manual, Disabled | 1.1.0 |
Prohibit binary/machine-executable code | CMA_C1717 - Prohibit binary/machine-executable code | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
1207.09aa2System.4-09.aa 09.10 Monitoring
ID: 1207.09aa2System.4-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
Govern and monitor audit processing activities | CMA_0289 - Govern and monitor audit processing activities | Manual, Disabled | 1.1.0 |
Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
1208.09aa3System.1-09.aa 09.10 Monitoring
ID: 1208.09aa3System.1-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Automate account management | CMA_0026 - Automate account management | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Manage system and admin accounts | CMA_0368 - Manage system and admin accounts | Manual, Disabled | 1.1.0 |
Monitor access across the organization | CMA_0376 - Monitor access across the organization | Manual, Disabled | 1.1.0 |
Notify when account is not needed | CMA_0383 - Notify when account is not needed | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
1209.09aa3System.2-09.aa 09.10 Monitoring
ID: 1209.09aa3System.2-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
1210.09aa3System.3-09.aa 09.10 Monitoring
ID: 1210.09aa3System.3-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 |
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Use system clocks for audit records | CMA_0535 - Use system clocks for audit records | Manual, Disabled | 1.1.0 |
12100.09ab2System.15-09.ab 09.10 Monitoring
ID: 12100.09ab2System.15-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Discover any indicators of compromise | CMA_C1702 - Discover any indicators of compromise | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Virtual machines should have the Log Analytics extension installed | This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
12101.09ab1Organizational.3-09.ab 09.10 Monitoring
ID: 12101.09ab1Organizational.3-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adjust level of audit review, analysis, and reporting | CMA_C1123 - Adjust level of audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Develop audit and accountability policies and procedures | CMA_0154 - Develop audit and accountability policies and procedures | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Specify permitted actions associated with customer audit information | CMA_C1122 - Specify permitted actions associated with customer audit information | Manual, Disabled | 1.1.0 |
The Log Analytics extension should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
12102.09ab1Organizational.4-09.ab 09.10 Monitoring
ID: 12102.09ab1Organizational.4-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit Windows machines on which the Log Analytics agent is not connected as expected | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. | auditIfNotExists | 2.0.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
Select additional testing for security control assessments | CMA_C1149 - Select additional testing for security control assessments | Manual, Disabled | 1.1.0 |
Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
12103.09ab1Organizational.5-09.ab 09.10 Monitoring
ID: 12103.09ab1Organizational.5-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
1211.09aa3System.4-09.aa 09.10 Monitoring
ID: 1211.09aa3System.4-09.aa Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Resource logs in Azure Key Vault Managed HSM should be enabled | To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. | AuditIfNotExists, Disabled | 1.1.0 |
Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
1212.09ab1System.1-09.ab 09.10 Monitoring
ID: 1212.09ab1System.1-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | AuditIfNotExists, Disabled | 1.0.0 |
Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Manual, Disabled | 1.1.0 |
Provide monitoring information as needed | CMA_C1689 - Provide monitoring information as needed | Manual, Disabled | 1.1.0 |
1213.09ab2System.128-09.ab 09.10 Monitoring
ID: 1213.09ab2System.128-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
1214.09ab2System.3456-09.ab 09.10 Monitoring
ID: 1214.09ab2System.3456-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | AuditIfNotExists, Disabled | 2.0.0 |
Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
1215.09ab2System.7-09.ab 09.10 Monitoring
ID: 1215.09ab2System.7-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Ensure audit records are not altered | CMA_C1125 - Ensure audit records are not altered | Manual, Disabled | 1.1.0 |
Provide audit review, analysis, and reporting capability | CMA_C1124 - Provide audit review, analysis, and reporting capability | Manual, Disabled | 1.1.0 |
Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Manual, Disabled | 1.1.0 |
Virtual machines should have the Log Analytics extension installed | This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
1216.09ab3System.12-09.ab 09.10 Monitoring
ID: 1216.09ab3System.12-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review and update the events defined in AU-02 | CMA_C1106 - Review and update the events defined in AU-02 | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
The Log Analytics extension should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
1217.09ab3System.3-09.ab 09.10 Monitoring
ID: 1217.09ab3System.3-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
Audit Windows machines on which the Log Analytics agent is not connected as expected | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. | auditIfNotExists | 2.0.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
1218.09ab3System.47-09.ab 09.10 Monitoring
ID: 1218.09ab3System.47-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
1219.09ab3System.10-09.ab 09.10 Monitoring
ID: 1219.09ab3System.10-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | AuditIfNotExists, Disabled | 1.0.0 |
Ensure audit records are not altered | CMA_C1125 - Ensure audit records are not altered | Manual, Disabled | 1.1.0 |
Provide audit review, analysis, and reporting capability | CMA_C1124 - Provide audit review, analysis, and reporting capability | Manual, Disabled | 1.1.0 |
Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Manual, Disabled | 1.1.0 |
1220.09ab3System.56-09.ab 09.10 Monitoring
ID: 1220.09ab3System.56-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Verify software, firmware and information integrity | CMA_0542 - Verify software, firmware and information integrity | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
1222.09ab3System.8-09.ab 09.10 Monitoring
ID: 1222.09ab3System.8-09.ab Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Manual, Disabled | 1.1.0 |
Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Manual, Disabled | 1.1.0 |
Generate internal security alerts | CMA_C1704 - Generate internal security alerts | Manual, Disabled | 1.1.0 |
Implement security directives | CMA_C1706 - Implement security directives | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures
ID: 1229.09c1Organizational.1-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.4 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures
ID: 1230.09c2Organizational.1-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Configure Azure Audit capabilities | CMA_C1108 - Configure Azure Audit capabilities | Manual, Disabled | 1.1.1 |
Determine auditable events | CMA_0137 - Determine auditable events | Manual, Disabled | 1.1.0 |
Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures
ID: 1231.09c2Organizational.23-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures
ID: 1232.09c3Organizational.12-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enable dual or joint authorization | CMA_0226 - Enable dual or joint authorization | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'User Rights Assignment' | Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures
ID: 1233.09c3Organizational.3-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1270.09ad1System.12-09.ad 09.10 Monitoring
ID: 1270.09ad1System.12-09.ad Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Restrict access to privileged accounts | CMA_0446 - Restrict access to privileged accounts | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
1271.09ad1System.1-09.ad 09.10 Monitoring
ID: 1271.09ad1System.1-09.ad Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1271.09ad2System.1 09.10 Monitoring
ID: 1271.09ad2System.1 Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures
ID: 1276.09c2Organizational.2-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Design an access control model | CMA_0129 - Design an access control model | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Employ least privilege access | CMA_0212 - Employ least privilege access | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Protect audit information | CMA_0401 - Protect audit information | Manual, Disabled | 1.1.0 |
Reassign or remove user privileges as needed | CMA_C1040 - Reassign or remove user privileges as needed | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Review user privileges | CMA_C1039 - Review user privileges | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures
ID: 1277.09c2Organizational.4-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'Security Options - User Account Control' | Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures
ID: 1278.09c2Organizational.56-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures
ID: 1279.09c3Organizational.4-09.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
13 Education, Training and Awareness
1301.02e1Organizational.12-02.e 02.03 During Employment
ID: 1301.02e1Organizational.12-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1302.02e2Organizational.134-02.e 02.03 During Employment
ID: 1302.02e2Organizational.134-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Implement a threat awareness program | CMA_C1758 - Implement a threat awareness program | Manual, Disabled | 1.1.0 |
Implement an insider threat program | CMA_C1751 - Implement an insider threat program | Manual, Disabled | 1.1.0 |
Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1303.02e2Organizational.2-02.e 02.03 During Employment
ID: 1303.02e2Organizational.2-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1304.02e3Organizational.1-02.e 02.03 During Employment
ID: 1304.02e3Organizational.1-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Require developers to provide training | CMA_C1611 - Require developers to provide training | Manual, Disabled | 1.1.0 |
Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
1305.02e3Organizational.23-02.e 02.03 During Employment
ID: 1305.02e3Organizational.23-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
Monitor security and privacy training completion | CMA_0379 - Monitor security and privacy training completion | Manual, Disabled | 1.1.0 |
Retain training records | CMA_0456 - Retain training records | Manual, Disabled | 1.1.0 |
1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements
ID: 1306.06e1Organizational.5-06.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets
ID: 1307.07c1Organizational.124-07.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update information security policies | CMA_0518 - Update information security policies | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code
ID: 1308.09j1Organizational.5-09.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop acceptable use policies and procedures | CMA_0143 - Develop acceptable use policies and procedures | Manual, Disabled | 1.1.0 |
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Enforce rules of behavior and access agreements | CMA_0248 - Enforce rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Review threat protection status weekly | CMA_0479 - Review threat protection status weekly | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking
ID: 1309.01x1System.36-01.x Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking
ID: 1310.01y1Organizational.9-01.y Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management
ID: 1311.12c2Organizational.3-12.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Incorporate simulated contingency training | CMA_C1260 - Incorporate simulated contingency training | Manual, Disabled | 1.1.0 |
Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
1313.02e1Organizational.3-02.e 02.03 During Employment
ID: 1313.02e1Organizational.3-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
1314.02e2Organizational.5-02.e 02.03 During Employment
ID: 1314.02e2Organizational.5-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
1315.02e2Organizational.67-02.e 02.03 During Employment
ID: 1315.02e2Organizational.67-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Provide role-based security training | CMA_C1094 - Provide role-based security training | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets
ID: 1324.07c1Organizational.3-07.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1325.09s1Organizational.3-09.s 09.08 Exchange of Information
ID: 1325.09s1Organizational.3-09.s Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop organization code of conduct policy | CMA_0159 - Develop organization code of conduct policy | Manual, Disabled | 1.1.0 |
Document personnel acceptance of privacy requirements | CMA_0193 - Document personnel acceptance of privacy requirements | Manual, Disabled | 1.1.0 |
Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
Prohibit unfair practices | CMA_0396 - Prohibit unfair practices | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide privacy training | CMA_0415 - Provide privacy training | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
Review and sign revised rules of behavior | CMA_0465 - Review and sign revised rules of behavior | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements | CMA_0521 - Update rules of behavior and access agreements | Manual, Disabled | 1.1.0 |
Update rules of behavior and access agreements every 3 years | CMA_0522 - Update rules of behavior and access agreements every 3 years | Manual, Disabled | 1.1.0 |
1327.02e2Organizational.8-02.e 02.03 During Employment
ID: 1327.02e2Organizational.8-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
1331.02e3Organizational.4-02.e 02.03 During Employment
ID: 1331.02e3Organizational.4-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Manual, Disabled | 1.1.0 |
Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1334.02e2Organizational.12-02.e 02.03 During Employment
ID: 1334.02e2Organizational.12-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security and privacy training activities | CMA_0198 - Document security and privacy training activities | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide security training for new users | CMA_0419 - Provide security training for new users | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
1336.02e1Organizational.5-02.e 02.03 During Employment
ID: 1336.02e1Organizational.5-02.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Provide periodic role-based security training | CMA_C1095 - Provide periodic role-based security training | Manual, Disabled | 1.1.0 |
Provide periodic security awareness training | CMA_C1091 - Provide periodic security awareness training | Manual, Disabled | 1.1.0 |
Provide role-based practical exercises | CMA_C1096 - Provide role-based practical exercises | Manual, Disabled | 1.1.0 |
Provide role-based training on suspicious activities | CMA_C1097 - Provide role-based training on suspicious activities | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
Provide security training before providing access | CMA_0418 - Provide security training before providing access | Manual, Disabled | 1.1.0 |
Provide updated security awareness training | CMA_C1090 - Provide updated security awareness training | Manual, Disabled | 1.1.0 |
14 Third Party Assurance
1404.05i2Organizational.1-05.i 05.02 External Parties
ID: 1404.05i2Organizational.1-05.i Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update system and services acquisition policies and procedures | CMA_C1560 - Review and update system and services acquisition policies and procedures | Manual, Disabled | 1.1.0 |
1406.05k1Organizational.110-05.k 05.02 External Parties
ID: 1406.05k1Organizational.110-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
1407.05k2Organizational.1-05.k 05.02 External Parties
ID: 1407.05k2Organizational.1-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery
ID: 1408.09e1System.1-09.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Require interconnection security agreements | CMA_C1151 - Require interconnection security agreements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Update interconnection security agreements | CMA_0519 - Update interconnection security agreements | Manual, Disabled | 1.1.0 |
1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery
ID: 1409.09e2System.1-09.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery
ID: 1410.09e2System.23-09.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery
ID: 1411.09f1System.1-09.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize, monitor, and control voip | CMA_0025 - Authorize, monitor, and control voip | Manual, Disabled | 1.1.0 |
Detect network services that have not been authorized or approved | CMA_C1700 - Detect network services that have not been authorized or approved | Manual, Disabled | 1.1.0 |
Disseminate security alerts to personnel | CMA_C1705 - Disseminate security alerts to personnel | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Establish a threat intelligence program | CMA_0260 - Establish a threat intelligence program | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Route traffic through managed network access points | CMA_0484 - Route traffic through managed network access points | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes
ID: 1416.10l1Organizational.1-10.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes
ID: 1417.10l2Organizational.1-10.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
1419.05j1Organizational.12-05.j 05.02 External Parties
ID: 1419.05j1Organizational.12-05.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security strength requirements in acquisition contracts | CMA_0203 - Document security strength requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
1421.05j2Organizational.12-05.j 05.02 External Parties
ID: 1421.05j2Organizational.12-05.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
1422.05j2Organizational.3-05.j 05.02 External Parties
ID: 1422.05j2Organizational.3-05.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Obtain approvals for acquisitions and outsourcing | CMA_C1590 - Obtain approvals for acquisitions and outsourcing | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
1423.05j2Organizational.4-05.j 05.02 External Parties
ID: 1423.05j2Organizational.4-05.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Employ boundary protection to isolate information systems | CMA_C1639 - Employ boundary protection to isolate information systems | Manual, Disabled | 1.1.0 |
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Establish terms and conditions for accessing resources | CMA_C1076 - Establish terms and conditions for accessing resources | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Verify security controls for external information systems | CMA_0541 - Verify security controls for external information systems | Manual, Disabled | 1.1.0 |
1424.05j2Organizational.5-05.j 05.02 External Parties
ID: 1424.05j2Organizational.5-05.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accept only FICAM-approved third-party credentials | CMA_C1348 - Accept only FICAM-approved third-party credentials | Manual, Disabled | 1.1.0 |
Accept PIV credentials | CMA_C1347 - Accept PIV credentials | Manual, Disabled | 1.1.0 |
Conform to FICAM-issued profiles | CMA_C1350 - Conform to FICAM-issued profiles | Manual, Disabled | 1.1.0 |
Employ FICAM-approved resources to accept third-party credentials | CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials | Manual, Disabled | 1.1.0 |
Enforce user uniqueness | CMA_0250 - Enforce user uniqueness | Manual, Disabled | 1.1.0 |
Identify and authenticate non-organizational users | CMA_C1346 - Identify and authenticate non-organizational users | Manual, Disabled | 1.1.0 |
Support personal verification credentials issued by legal authorities | CMA_0507 - Support personal verification credentials issued by legal authorities | Manual, Disabled | 1.1.0 |
Verify identity before distributing authenticators | CMA_0538 - Verify identity before distributing authenticators | Manual, Disabled | 1.1.0 |
1429.05k1Organizational.34-05.k 05.02 External Parties
ID: 1429.05k1Organizational.34-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
1430.05k1Organizational.56-05.k 05.02 External Parties
ID: 1430.05k1Organizational.56-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
1431.05k1Organizational.7-05.k 05.02 External Parties
ID: 1431.05k1Organizational.7-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
1432.05k1Organizational.89-05.k 05.02 External Parties
ID: 1432.05k1Organizational.89-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Clear personnel with access to classified information | CMA_0054 - Clear personnel with access to classified information | Manual, Disabled | 1.1.0 |
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish privacy requirements for contractors and service providers | CMA_C1810 - Establish privacy requirements for contractors and service providers | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Implement personnel screening | CMA_0322 - Implement personnel screening | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery
ID: 1438.09e2System.4-09.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the information system environment in acquisition contracts | CMA_0205 - Document the information system environment in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
1450.05i2Organizational.2-05.i 05.02 External Parties
ID: 1450.05i2Organizational.2-05.i Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
Identify incident response personnel | CMA_0301 - Identify incident response personnel | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
1451.05iCSPOrganizational.2-05.i 05.02 External Parties
ID: 1451.05iCSPOrganizational.2-05.i Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
Audit privileged functions | CMA_0019 - Audit privileged functions | Manual, Disabled | 1.1.0 |
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Conduct a full text analysis of logged privileged commands | CMA_0056 - Conduct a full text analysis of logged privileged commands | Manual, Disabled | 1.1.0 |
Define access authorizations to support separation of duties | CMA_0116 - Define access authorizations to support separation of duties | Manual, Disabled | 1.1.0 |
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Document separation of duties | CMA_0204 - Document separation of duties | Manual, Disabled | 1.1.0 |
Enforce mandatory and discretionary access control policies | CMA_0246 - Enforce mandatory and discretionary access control policies | Manual, Disabled | 1.1.0 |
Enforce software execution privileges | CMA_C1041 - Enforce software execution privileges | Manual, Disabled | 1.1.0 |
Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
Monitor privileged role assignment | CMA_0378 - Monitor privileged role assignment | Manual, Disabled | 1.1.0 |
Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Revoke privileged roles as appropriate | CMA_0483 - Revoke privileged roles as appropriate | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
Use privileged identity management | CMA_0533 - Use privileged identity management | Manual, Disabled | 1.1.0 |
1452.05kCSPOrganizational.1-05.k 05.02 External Parties
ID: 1452.05kCSPOrganizational.1-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
1453.05kCSPOrganizational.2-05.k 05.02 External Parties
ID: 1453.05kCSPOrganizational.2-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
Determine supplier contract obligations | CMA_0140 - Determine supplier contract obligations | Manual, Disabled | 1.1.0 |
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
1454.05kCSPOrganizational.3-05.k 05.02 External Parties
ID: 1454.05kCSPOrganizational.3-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Define requirements for supplying goods and services | CMA_0126 - Define requirements for supplying goods and services | Manual, Disabled | 1.1.0 |
Establish policies for supply chain risk management | CMA_0275 - Establish policies for supply chain risk management | Manual, Disabled | 1.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
1455.05kCSPOrganizational.4-05.k 05.02 External Parties
ID: 1455.05kCSPOrganizational.4-05.k Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define and document government oversight | CMA_C1587 - Define and document government oversight | Manual, Disabled | 1.1.0 |
Document third-party personnel security requirements | CMA_C1531 - Document third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Establish third-party personnel security requirements | CMA_C1529 - Establish third-party personnel security requirements | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
Require notification of third-party personnel transfer or termination | CMA_C1532 - Require notification of third-party personnel transfer or termination | Manual, Disabled | 1.1.0 |
Require third-party providers to comply with personnel security policies and procedures | CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures | Manual, Disabled | 1.1.0 |
Review cloud service provider's compliance with policies and agreements | CMA_0469 - Review cloud service provider's compliance with policies and agreements | Manual, Disabled | 1.1.0 |
Undergo independent security review | CMA_0515 - Undergo independent security review | Manual, Disabled | 1.1.0 |
1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery
ID: 1464.09e2Organizational.5-09.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
Recover and reconstitute resources after any disruption | CMA_C1295 - Recover and reconstitute resources after any disruption | Manual, Disabled | 1.1.1 |
15 Incident Management
1501.02f1Organizational.123-02.f 02.03 During Employment
ID: 1501.02f1Organizational.123-02.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1503.02f2Organizational.12-02.f 02.03 During Employment
ID: 1503.02f2Organizational.12-02.f Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements
ID: 1504.06e1Organizational.34-06.e Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Enable detection of network devices | CMA_0220 - Enable detection of network devices | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1505.11a1Organizational.13-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Manual, Disabled | 1.1.0 |
Identify incident response personnel | CMA_0301 - Identify incident response personnel | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1506.11a1Organizational.2-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Manage contacts for authorities and special interest groups | CMA_0359 - Manage contacts for authorities and special interest groups | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1507.11a1Organizational.4-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1507.11a1Organizational.4-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement an insider threat program | CMA_C1751 - Implement an insider threat program | Manual, Disabled | 1.1.0 |
Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1508.11a2Organizational.1-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1509.11a2Organizational.236-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1510.11a2Organizational.47-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1511.11a2Organizational.5-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1512.11a2Organizational.8-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Alert personnel of information spillage | CMA_0007 - Alert personnel of information spillage | Manual, Disabled | 1.1.0 |
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
Set automated notifications for new and trending cloud applications in your organization | CMA_0495 - Set automated notifications for new and trending cloud applications in your organization | Manual, Disabled | 1.1.0 |
Turn on sensors for endpoint security solution | CMA_0514 - Turn on sensors for endpoint security solution | Manual, Disabled | 1.1.0 |
1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1515.11a3Organizational.3-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop an incident response plan | CMA_0145 - Develop an incident response plan | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1516.11c1Organizational.12-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1517.11c1Organizational.3-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
1518.11c2Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1518.11c2Organizational.13-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1519.11c2Organizational.2-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Correlate audit records | CMA_0087 - Correlate audit records | Manual, Disabled | 1.1.0 |
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Establish requirements for audit review and reporting | CMA_0277 - Establish requirements for audit review and reporting | Manual, Disabled | 1.1.0 |
Integrate Audit record analysis | CMA_C1120 - Integrate Audit record analysis | Manual, Disabled | 1.1.0 |
Integrate audit review, analysis, and reporting | CMA_0339 - Integrate audit review, analysis, and reporting | Manual, Disabled | 1.1.0 |
Integrate cloud app security with a siem | CMA_0340 - Integrate cloud app security with a siem | Manual, Disabled | 1.1.0 |
Provide capability to process customer-controlled audit records | CMA_C1126 - Provide capability to process customer-controlled audit records | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review administrator assignments weekly | CMA_0461 - Review administrator assignments weekly | Manual, Disabled | 1.1.0 |
Review audit data | CMA_0466 - Review audit data | Manual, Disabled | 1.1.0 |
Review cloud identity report overview | CMA_0468 - Review cloud identity report overview | Manual, Disabled | 1.1.0 |
Review controlled folder access events | CMA_0471 - Review controlled folder access events | Manual, Disabled | 1.1.0 |
Review file and folder activity | CMA_0473 - Review file and folder activity | Manual, Disabled | 1.1.0 |
Review role group changes weekly | CMA_0476 - Review role group changes weekly | Manual, Disabled | 1.1.0 |
1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1520.11c2Organizational.4-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1521.11c2Organizational.56-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Manual, Disabled | 1.1.0 |
Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1522.11c3Organizational.13-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1523.11c3Organizational.24-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1523.11c3Organizational.24-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document security operations | CMA_0202 - Document security operations | Manual, Disabled | 1.1.0 |
Establish relationship between incident response capability and external providers | CMA_C1376 - Establish relationship between incident response capability and external providers | Manual, Disabled | 1.1.0 |
Identify incident response personnel | CMA_0301 - Identify incident response personnel | Manual, Disabled | 1.1.0 |
Use automated mechanisms for security alerts | CMA_C1707 - Use automated mechanisms for security alerts | Manual, Disabled | 1.1.0 |
1524.11a1Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1524.11a1Organizational.5-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Coordinate with external organizations to achieve cross org perspective | CMA_C1368 - Coordinate with external organizations to achieve cross org perspective | Manual, Disabled | 1.1.0 |
Obtain legal opinion for monitoring system activities | CMA_C1688 - Obtain legal opinion for monitoring system activities | Manual, Disabled | 1.1.0 |
Require external service providers to comply with security requirements | CMA_C1586 - Require external service providers to comply with security requirements | Manual, Disabled | 1.1.0 |
1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1525.11a1Organizational.6-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish information security workforce development and improvement program | CMA_C1752 - Establish information security workforce development and improvement program | Manual, Disabled | 1.1.0 |
Implement an insider threat program | CMA_C1751 - Implement an insider threat program | Manual, Disabled | 1.1.0 |
Implement formal sanctions process | CMA_0317 - Implement formal sanctions process | Manual, Disabled | 1.1.0 |
Implement Incident handling capability | CMA_C1367 - Implement Incident handling capability | Manual, Disabled | 1.1.0 |
Notify personnel upon sanctions | CMA_0380 - Notify personnel upon sanctions | Manual, Disabled | 1.1.0 |
Provide security awareness training for insider threats | CMA_0417 - Provide security awareness training for insider threats | Manual, Disabled | 1.1.0 |
1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements
ID: 1560.11d1Organizational.1-11.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Implement incident handling | CMA_0318 - Implement incident handling | Manual, Disabled | 1.1.0 |
Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements
ID: 1561.11d2Organizational.14-11.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Review and update incident response policies and procedures | CMA_C1352 - Review and update incident response policies and procedures | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements
ID: 1562.11d2Organizational.2-11.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address information security issues | CMA_C1742 - Address information security issues | Manual, Disabled | 1.1.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Establish an information security program | CMA_0263 - Establish an information security program | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Identify classes of Incidents and Actions taken | CMA_C1365 - Identify classes of Incidents and Actions taken | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements
ID: 1563.11d2Organizational.3-11.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1577.11aCSPOrganizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses
ID: 1577.11aCSPOrganizational.1-11.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Ensure external providers consistently meet interests of the customers | CMA_C1592 - Ensure external providers consistently meet interests of the customers | Manual, Disabled | 1.1.0 |
Identify incident response personnel | CMA_0301 - Identify incident response personnel | Manual, Disabled | 1.1.0 |
1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1587.11c2Organizational.10-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess information security events | CMA_0013 - Assess information security events | Manual, Disabled | 1.1.0 |
Develop security safeguards | CMA_0161 - Develop security safeguards | Manual, Disabled | 1.1.0 |
Enable network protection | CMA_0238 - Enable network protection | Manual, Disabled | 1.1.0 |
Eradicate contaminated information | CMA_0253 - Eradicate contaminated information | Manual, Disabled | 1.1.0 |
Execute actions in response to information spills | CMA_0281 - Execute actions in response to information spills | Manual, Disabled | 1.1.0 |
Maintain data breach records | CMA_0351 - Maintain data breach records | Manual, Disabled | 1.1.0 |
Maintain incident response plan | CMA_0352 - Maintain incident response plan | Manual, Disabled | 1.1.0 |
Protect incident response plan | CMA_0405 - Protect incident response plan | Manual, Disabled | 1.1.0 |
View and investigate restricted users | CMA_0545 - View and investigate restricted users | Manual, Disabled | 1.1.0 |
1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements
ID: 1589.11c1Organizational.5-11.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct incident response testing | CMA_0060 - Conduct incident response testing | Manual, Disabled | 1.1.0 |
Incorporate simulated events into incident response training | CMA_C1356 - Incorporate simulated events into incident response training | Manual, Disabled | 1.1.0 |
Provide information spillage training | CMA_0413 - Provide information spillage training | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
16 Business Continuity & Disaster Recovery
1601.12c1Organizational.1238-12.c 12.01 Information Security Aspects of Business Continuity Management
ID: 1601.12c1Organizational.1238-12.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
1602.12c1Organizational.4567-12.c 12.01 Information Security Aspects of Business Continuity Management
ID: 1602.12c1Organizational.4567-12.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Manual, Disabled | 1.1.0 |
Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management
ID: 1603.12c1Organizational.9-12.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management
ID: 1604.12c2Organizational.16789-12.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
Establish alternate storage site that facilitates recovery operations | CMA_C1270 - Establish alternate storage site that facilitates recovery operations | Manual, Disabled | 1.1.0 |
Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
1607.12c2Organizational.4-12.c 12.01 Information Security Aspects of Business Continuity Management
ID: 1607.12c2Organizational.4-12.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management
ID: 1608.12c2Organizational.5-12.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
1609.12c3Organizational.12-12.c 12.01 Information Security Aspects of Business Continuity Management
ID: 1609.12c3Organizational.12-12.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
1616.09l1Organizational.16-09.l 09.05 Information Back-Up
ID: 1616.09l1Organizational.16-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
1617.09l1Organizational.23-09.l 09.05 Information Back-Up
ID: 1617.09l1Organizational.23-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
1618.09l1Organizational.45-09.l 09.05 Information Back-Up
ID: 1618.09l1Organizational.45-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create separate alternate and primary storage sites | CMA_C1269 - Create separate alternate and primary storage sites | Manual, Disabled | 1.1.0 |
Ensure alternate storage site safeguards are equivalent to primary site | CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site | Manual, Disabled | 1.1.0 |
Establish alternate storage site that facilitates recovery operations | CMA_C1270 - Establish alternate storage site that facilitates recovery operations | Manual, Disabled | 1.1.0 |
Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
1619.09l1Organizational.7-09.l 09.05 Information Back-Up
ID: 1619.09l1Organizational.7-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish requirements for internet service providers | CMA_0278 - Establish requirements for internet service providers | Manual, Disabled | 1.1.0 |
Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
1620.09l1Organizational.8-09.l 09.05 Information Back-Up
ID: 1620.09l1Organizational.8-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
Transfer backup information to an alternate storage site | CMA_C1294 - Transfer backup information to an alternate storage site | Manual, Disabled | 1.1.0 |
1621.09l2Organizational.1-09.l 09.05 Information Back-Up
ID: 1621.09l2Organizational.1-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Create a data inventory | CMA_0096 - Create a data inventory | Manual, Disabled | 1.1.0 |
Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
1622.09l2Organizational.23-09.l 09.05 Information Back-Up
ID: 1622.09l2Organizational.23-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
Identify and mitigate potential issues at alternate storage site | CMA_C1271 - Identify and mitigate potential issues at alternate storage site | Manual, Disabled | 1.1.0 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
1623.09l2Organizational.4-09.l 09.05 Information Back-Up
ID: 1623.09l2Organizational.4-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
1624.09l3Organizational.12-09.l 09.05 Information Back-Up
ID: 1624.09l3Organizational.12-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
1625.09l3Organizational.34-09.l 09.05 Information Back-Up
ID: 1625.09l3Organizational.34-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
1626.09l3Organizational.5-09.l 09.05 Information Back-Up
ID: 1626.09l3Organizational.5-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
1627.09l3Organizational.6-09.l 09.05 Information Back-Up
ID: 1627.09l3Organizational.6-09.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
Separately store backup information | CMA_C1293 - Separately store backup information | Manual, Disabled | 1.1.0 |
1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management
ID: 1634.12b1Organizational.1-12.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Develop contingency planning policies and procedures | CMA_0156 - Develop contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
Distribute policies and procedures | CMA_0185 - Distribute policies and procedures | Manual, Disabled | 1.1.0 |
1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management
ID: 1635.12b1Organizational.2-12.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Azure Key Vault Managed HSM should have purge protection enabled | Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. | Audit, Deny, Disabled | 1.0.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Audit, Deny, Disabled | 2.1.0 |
Perform a business impact assessment and application criticality assessment | CMA_0386 - Perform a business impact assessment and application criticality assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management
ID: 1636.12b2Organizational.1-12.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Perform a business impact assessment and application criticality assessment | CMA_0386 - Perform a business impact assessment and application criticality assessment | Manual, Disabled | 1.1.0 |
1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management
ID: 1637.12b2Organizational.2-12.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
Windows machines should meet requirements for 'Security Options - Recovery console' | Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 3.0.0 |
1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management
ID: 1638.12b2Organizational.345-12.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 |
Conduct capacity planning | CMA_C1252 - Conduct capacity planning | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management
ID: 1666.12d1Organizational.1235-12.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
1667.12d1Organizational.4-12.d 12.01 Information Security Aspects of Business Continuity Management
ID: 1667.12d1Organizational.4-12.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop and document a business continuity and disaster recovery plan | CMA_0146 - Develop and document a business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management
ID: 1668.12d1Organizational.67-12.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Establish alternate storage site to store and retrieve backup information | CMA_C1267 - Establish alternate storage site to store and retrieve backup information | Manual, Disabled | 1.1.0 |
Establish an alternate processing site | CMA_0262 - Establish an alternate processing site | Manual, Disabled | 1.1.0 |
Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management
ID: 1669.12d1Organizational.8-12.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Perform a business impact assessment and application criticality assessment | CMA_0386 - Perform a business impact assessment and application criticality assessment | Manual, Disabled | 1.1.0 |
Plan for resumption of essential business functions | CMA_C1253 - Plan for resumption of essential business functions | Manual, Disabled | 1.1.0 |
Provide contingency training | CMA_0412 - Provide contingency training | Manual, Disabled | 1.1.0 |
Test the business continuity and disaster recovery plan | CMA_0509 - Test the business continuity and disaster recovery plan | Manual, Disabled | 1.1.0 |
Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
1670.12d2Organizational.1-12.d 12.01 Information Security Aspects of Business Continuity Management
ID: 1670.12d2Organizational.1-12.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
1671.12d2Organizational.2-12.d 12.01 Information Security Aspects of Business Continuity Management
ID: 1671.12d2Organizational.2-12.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
Review contingency plan | CMA_C1247 - Review contingency plan | Manual, Disabled | 1.1.0 |
Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management
ID: 1672.12d2Organizational.3-12.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Communicate contingency plan changes | CMA_C1249 - Communicate contingency plan changes | Manual, Disabled | 1.1.0 |
Coordinate contingency plans with related plans | CMA_0086 - Coordinate contingency plans with related plans | Manual, Disabled | 1.1.0 |
Develop contingency plan | CMA_C1244 - Develop contingency plan | Manual, Disabled | 1.1.0 |
Review and update contingency planning policies and procedures | CMA_C1243 - Review and update contingency planning policies and procedures | Manual, Disabled | 1.1.0 |
Update contingency plan | CMA_C1248 - Update contingency plan | Manual, Disabled | 1.1.0 |
17 Risk Management
1704.03b1Organizational.12-03.b 03.01 Risk Management Program
ID: 1704.03b1Organizational.12-03.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Perform a risk assessment | CMA_0388 - Perform a risk assessment | Manual, Disabled | 1.1.0 |
1705.03b2Organizational.12-03.b 03.01 Risk Management Program
ID: 1705.03b2Organizational.12-03.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
1707.03c1Organizational.12-03.c 03.01 Risk Management Program
ID: 1707.03c1Organizational.12-03.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
1708.03c2Organizational.12-03.c 03.01 Risk Management Program
ID: 1708.03c2Organizational.12-03.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop POA&M | CMA_C1156 - Develop POA&M | Manual, Disabled | 1.1.0 |
Update POA&M items | CMA_C1157 - Update POA&M items | Manual, Disabled | 1.1.0 |
17100.10a3Organizational.5 10.01 Security Requirements of Information Systems
ID: 17100.10a3Organizational.5 Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems
ID: 17101.10a3Organizational.6-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Obtain design and implementation information for the security controls | CMA_C1576 - Obtain design and implementation information for the security controls | Manual, Disabled | 1.1.1 |
Obtain functional properties of security controls | CMA_C1575 - Obtain functional properties of security controls | Manual, Disabled | 1.1.0 |
Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems
ID: 17120.10a3Organizational.5-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Assess risk in third party relationships | CMA_0014 - Assess risk in third party relationships | Manual, Disabled | 1.1.0 |
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
Obtain approvals for acquisitions and outsourcing | CMA_C1590 - Obtain approvals for acquisitions and outsourcing | Manual, Disabled | 1.1.0 |
17126.03c1System.6-03.c 03.01 Risk Management Program
ID: 17126.03c1System.6-03.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
1713.03c1Organizational.3-03.c 03.01 Risk Management Program
ID: 1713.03c1Organizational.3-03.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define the duties of processors | CMA_0127 - Define the duties of processors | Manual, Disabled | 1.1.0 |
Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Manual, Disabled | 1.1.0 |
Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Manual, Disabled | 1.1.0 |
Issue guidelines for ensuring data quality and integrity | CMA_C1824 - Issue guidelines for ensuring data quality and integrity | Manual, Disabled | 1.1.0 |
Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Manual, Disabled | 1.1.0 |
Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Manual, Disabled | 1.1.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
1733.03d1Organizational.1-03.d 03.01 Risk Management Program
ID: 1733.03d1Organizational.1-03.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
1734.03d2Organizational.1-03.d 03.01 Risk Management Program
ID: 1734.03d2Organizational.1-03.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish and document change control processes | CMA_0265 - Establish and document change control processes | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
1735.03d2Organizational.23-03.d 03.01 Risk Management Program
ID: 1735.03d2Organizational.23-03.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
Establish configuration management requirements for developers | CMA_0270 - Establish configuration management requirements for developers | Manual, Disabled | 1.1.0 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Perform audit for configuration change control | CMA_0390 - Perform audit for configuration change control | Manual, Disabled | 1.1.0 |
1736.03d2Organizational.4-03.d 03.01 Risk Management Program
ID: 1736.03d2Organizational.4-03.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
1737.03d2Organizational.5-03.d 03.01 Risk Management Program
ID: 1737.03d2Organizational.5-03.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Conduct Risk Assessment | CMA_C1543 - Conduct Risk Assessment | Manual, Disabled | 1.1.0 |
Conduct risk assessment and distribute its results | CMA_C1544 - Conduct risk assessment and distribute its results | Manual, Disabled | 1.1.0 |
Conduct risk assessment and document its results | CMA_C1542 - Conduct risk assessment and document its results | Manual, Disabled | 1.1.0 |
Establish a risk management strategy | CMA_0258 - Establish a risk management strategy | Manual, Disabled | 1.1.0 |
1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems
ID: 1780.10a1Organizational.1-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Develop access control policies and procedures | CMA_0144 - Develop access control policies and procedures | Manual, Disabled | 1.1.0 |
Govern policies and procedures | CMA_0292 - Govern policies and procedures | Manual, Disabled | 1.1.0 |
1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems
ID: 1781.10a1Organizational.23-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems
ID: 1782.10a1Organizational.4-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems
ID: 1783.10a1Organizational.56-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document acquisition contract acceptance criteria | CMA_0187 - Document acquisition contract acceptance criteria | Manual, Disabled | 1.1.0 |
Document protection of personal data in acquisition contracts | CMA_0194 - Document protection of personal data in acquisition contracts | Manual, Disabled | 1.1.0 |
Document protection of security information in acquisition contracts | CMA_0195 - Document protection of security information in acquisition contracts | Manual, Disabled | 1.1.0 |
Document requirements for the use of shared data in contracts | CMA_0197 - Document requirements for the use of shared data in contracts | Manual, Disabled | 1.1.0 |
Document security assurance requirements in acquisition contracts | CMA_0199 - Document security assurance requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document security documentation requirements in acquisition contract | CMA_0200 - Document security documentation requirements in acquisition contract | Manual, Disabled | 1.1.0 |
Document security functional requirements in acquisition contracts | CMA_0201 - Document security functional requirements in acquisition contracts | Manual, Disabled | 1.1.0 |
Document the protection of cardholder data in third party contracts | CMA_0207 - Document the protection of cardholder data in third party contracts | Manual, Disabled | 1.1.0 |
1784.10a1Organizational.7-10.a 10.01 Security Requirements of Information Systems
ID: 1784.10a1Organizational.7-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ FIPS 201-approved technology for PIV | CMA_C1579 - Employ FIPS 201-approved technology for PIV | Manual, Disabled | 1.1.0 |
1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems
ID: 1785.10a1Organizational.8-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize remote access | CMA_0024 - Authorize remote access | Manual, Disabled | 1.1.0 |
Create alternative actions for identified anomalies | CMA_C1711 - Create alternative actions for identified anomalies | Manual, Disabled | 1.1.0 |
Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Manual, Disabled | 1.1.0 |
Separate user and information system management functionality | CMA_0493 - Separate user and information system management functionality | Manual, Disabled | 1.1.0 |
Use dedicated machines for administrative tasks | CMA_0527 - Use dedicated machines for administrative tasks | Manual, Disabled | 1.1.0 |
1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems
ID: 1786.10a1Organizational.9-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Identify external service providers | CMA_C1591 - Identify external service providers | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Require developer to identify SDLC ports, protocols, and services | CMA_C1578 - Require developer to identify SDLC ports, protocols, and services | Manual, Disabled | 1.1.0 |
1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems
ID: 1787.10a2Organizational.1-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate privacy controls | CMA_C1817 - Automate privacy controls | Manual, Disabled | 1.1.0 |
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Information security and personal data protection | CMA_0332 - Information security and personal data protection | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems
ID: 1788.10a2Organizational.2-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Conduct a security impact analysis | CMA_0057 - Conduct a security impact analysis | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Develop and maintain a vulnerability management standard | CMA_0152 - Develop and maintain a vulnerability management standard | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Perform a privacy impact assessment | CMA_0387 - Perform a privacy impact assessment | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to implement only approved changes | CMA_C1596 - Require developers to implement only approved changes | Manual, Disabled | 1.1.0 |
Require developers to manage change integrity | CMA_C1595 - Require developers to manage change integrity | Manual, Disabled | 1.1.0 |
1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems
ID: 1789.10a2Organizational.3-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems
ID: 1790.10a2Organizational.45-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
Review development process, standards and tools | CMA_C1610 - Review development process, standards and tools | Manual, Disabled | 1.1.0 |
1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems
ID: 1791.10a2Organizational.6-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate flaw remediation | CMA_0027 - Automate flaw remediation | Manual, Disabled | 1.1.0 |
Enforce security configuration settings | CMA_0249 - Enforce security configuration settings | Manual, Disabled | 1.1.0 |
Govern compliance of cloud service providers | CMA_0290 - Govern compliance of cloud service providers | Manual, Disabled | 1.1.0 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
View and configure system diagnostic data | CMA_0544 - View and configure system diagnostic data | Manual, Disabled | 1.1.0 |
1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems
ID: 1792.10a2Organizational.7814-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define information security roles and responsibilities | CMA_C1565 - Define information security roles and responsibilities | Manual, Disabled | 1.1.0 |
Identify individuals with security roles and responsibilities | CMA_C1566 - Identify individuals with security roles and responsibilities | Manual, Disabled | 1.1.1 |
Implement the risk management strategy | CMA_C1744 - Implement the risk management strategy | Manual, Disabled | 1.1.0 |
Integrate risk management process into SDLC | CMA_C1567 - Integrate risk management process into SDLC | Manual, Disabled | 1.1.0 |
1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems
ID: 1793.10a2Organizational.91011-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Develop information security policies and procedures | CMA_0158 - Develop information security policies and procedures | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
1794.10a2Organizational.12-10.a 10.01 Security Requirements of Information Systems
ID: 1794.10a2Organizational.12-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems
ID: 1795.10a2Organizational.13-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Address coding vulnerabilities | CMA_0003 - Address coding vulnerabilities | Manual, Disabled | 1.1.0 |
Develop and document application security requirements | CMA_0148 - Develop and document application security requirements | Manual, Disabled | 1.1.0 |
Establish a secure software development program | CMA_0259 - Establish a secure software development program | Manual, Disabled | 1.1.0 |
Require developers to document approved changes and potential impact | CMA_C1597 - Require developers to document approved changes and potential impact | Manual, Disabled | 1.1.0 |
Require developers to produce evidence of security assessment plan execution | CMA_C1602 - Require developers to produce evidence of security assessment plan execution | Manual, Disabled | 1.1.0 |
1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems
ID: 1796.10a2Organizational.15-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Accept assessment results | CMA_C1150 - Accept assessment results | Manual, Disabled | 1.1.0 |
Assess Security Controls | CMA_C1145 - Assess Security Controls | Manual, Disabled | 1.1.0 |
Deliver security assessment results | CMA_C1147 - Deliver security assessment results | Manual, Disabled | 1.1.0 |
Develop security assessment plan | CMA_C1144 - Develop security assessment plan | Manual, Disabled | 1.1.0 |
Employ independent assessors to conduct security control assessments | CMA_C1148 - Employ independent assessors to conduct security control assessments | Manual, Disabled | 1.1.0 |
Produce Security Assessment report | CMA_C1146 - Produce Security Assessment report | Manual, Disabled | 1.1.0 |
1797.10a3Organizational.1-10.a 10.01 Security Requirements of Information Systems
ID: 1797.10a3Organizational.1-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Develop an enterprise architecture | CMA_C1741 - Develop an enterprise architecture | Manual, Disabled | 1.1.0 |
Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Manual, Disabled | 1.1.0 |
Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Manual, Disabled | 1.1.0 |
Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Manual, Disabled | 1.1.0 |
1798.10a3Organizational.2-10.a 10.01 Security Requirements of Information Systems
ID: 1798.10a3Organizational.2-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Develop an enterprise architecture | CMA_C1741 - Develop an enterprise architecture | Manual, Disabled | 1.1.0 |
Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems
ID: 1799.10a3Organizational.34-10.a Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Develop a concept of operations (CONOPS) | CMA_0141 - Develop a concept of operations (CONOPS) | Manual, Disabled | 1.1.0 |
Develop an enterprise architecture | CMA_C1741 - Develop an enterprise architecture | Manual, Disabled | 1.1.0 |
Require developers to build security architecture | CMA_C1612 - Require developers to build security architecture | Manual, Disabled | 1.1.0 |
Require developers to describe accurate security functionality | CMA_C1613 - Require developers to describe accurate security functionality | Manual, Disabled | 1.1.0 |
Require developers to provide unified security protection approach | CMA_C1614 - Require developers to provide unified security protection approach | Manual, Disabled | 1.1.0 |
Review and update the information security architecture | CMA_C1504 - Review and update the information security architecture | Manual, Disabled | 1.1.0 |
18 Physical & Environmental Security
1801.08b1Organizational.124-08.b 08.01 Secure Areas
ID: 1801.08b1Organizational.124-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Monitor third-party provider compliance | CMA_C1533 - Monitor third-party provider compliance | Manual, Disabled | 1.1.0 |
1802.08b1Organizational.3-08.b 08.01 Secure Areas
ID: 1802.08b1Organizational.3-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
1803.08b1Organizational.5-08.b 08.01 Secure Areas
ID: 1803.08b1Organizational.5-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Manual, Disabled | 1.1.0 |
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Manual, Disabled | 1.1.0 |
1804.08b2Organizational.12-08.b 08.01 Secure Areas
ID: 1804.08b2Organizational.12-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
1805.08b2Organizational.3-08.b 08.01 Secure Areas
ID: 1805.08b2Organizational.3-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
1806.08b2Organizational.4-08.b 08.01 Secure Areas
ID: 1806.08b2Organizational.4-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
1807.08b2Organizational.56-08.b 08.01 Secure Areas
ID: 1807.08b2Organizational.56-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
1808.08b2Organizational.7-08.b 08.01 Secure Areas
ID: 1808.08b2Organizational.7-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Audit user account status | CMA_0020 - Audit user account status | Manual, Disabled | 1.1.0 |
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Review account provisioning logs | CMA_0460 - Review account provisioning logs | Manual, Disabled | 1.1.0 |
Review user accounts | CMA_0480 - Review user accounts | Manual, Disabled | 1.1.0 |
Separate duties of individuals | CMA_0492 - Separate duties of individuals | Manual, Disabled | 1.1.0 |
1810.08b3Organizational.2-08.b 08.01 Secure Areas
ID: 1810.08b3Organizational.2-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
18108.08j1Organizational.1-08.j 08.02 Equipment Security
ID: 18108.08j1Organizational.1-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Review and update media protection policies and procedures | CMA_C1427 - Review and update media protection policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
18109.08j1Organizational.4-08.j 08.02 Equipment Security
ID: 18109.08j1Organizational.4-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Manual, Disabled | 1.1.0 |
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Manual, Disabled | 1.1.0 |
Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Manual, Disabled | 1.1.0 |
1811.08b3Organizational.3-08.b 08.01 Secure Areas
ID: 1811.08b3Organizational.3-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
18110.08j1Organizational.5-08.j 08.02 Equipment Security
ID: 18110.08j1Organizational.5-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Implement cryptographic mechanisms | CMA_C1419 - Implement cryptographic mechanisms | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Perform all non-local maintenance | CMA_C1417 - Perform all non-local maintenance | Manual, Disabled | 1.1.0 |
18111.08j1Organizational.6-08.j 08.02 Equipment Security
ID: 18111.08j1Organizational.6-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Provide timely maintenance support | CMA_C1425 - Provide timely maintenance support | Manual, Disabled | 1.1.0 |
18112.08j3Organizational.4-08.j 08.02 Equipment Security
ID: 18112.08j3Organizational.4-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Review and update information integrity policies and procedures | CMA_C1667 - Review and update information integrity policies and procedures | Manual, Disabled | 1.1.0 |
Review and update system maintenance policies and procedures | CMA_C1395 - Review and update system maintenance policies and procedures | Manual, Disabled | 1.1.0 |
1812.08b3Organizational.46-08.b 08.01 Secure Areas
ID: 1812.08b3Organizational.46-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document wireless access security controls | CMA_C1695 - Document wireless access security controls | Manual, Disabled | 1.1.0 |
Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
18127.08l1Organizational.3-08.l 08.02 Equipment Security
ID: 18127.08l1Organizational.3-08.l Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
1813.08b3Organizational.56-08.b 08.01 Secure Areas
ID: 1813.08b3Organizational.56-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
18130.09p1Organizational.24-09.p 09.07 Media Handling
ID: 18130.09p1Organizational.24-09.p Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Employ a media sanitization mechanism | CMA_0208 - Employ a media sanitization mechanism | Manual, Disabled | 1.1.0 |
1814.08d1Organizational.12-08.d 08.01 Secure Areas
ID: 1814.08d1Organizational.12-08.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
18145.08b3Organizational.7-08.b 08.01 Secure Areas
ID: 18145.08b3Organizational.7-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
18146.08b3Organizational.8-08.b 08.01 Secure Areas
ID: 18146.08b3Organizational.8-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
1815.08d2Organizational.123-08.d 08.01 Secure Areas
ID: 1815.08d2Organizational.123-08.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1816.08d2Organizational.4-08.d 08.01 Secure Areas
ID: 1816.08d2Organizational.4-08.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement controls to secure alternate work sites | CMA_0315 - Implement controls to secure alternate work sites | Manual, Disabled | 1.1.0 |
Install an alarm system | CMA_0338 - Install an alarm system | Manual, Disabled | 1.1.0 |
Manage a secure surveillance camera system | CMA_0354 - Manage a secure surveillance camera system | Manual, Disabled | 1.1.0 |
Manage the transportation of assets | CMA_0370 - Manage the transportation of assets | Manual, Disabled | 1.1.0 |
1817.08d3Organizational.12-08.d 08.01 Secure Areas
ID: 1817.08d3Organizational.12-08.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
1818.08d3Organizational.3-08.d 08.01 Secure Areas
ID: 1818.08d3Organizational.3-08.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1819.08j1Organizational.23-08.j 08.02 Equipment Security
ID: 1819.08j1Organizational.23-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Manual, Disabled | 1.1.0 |
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Designate personnel to supervise unauthorized maintenance activities | CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities | Manual, Disabled | 1.1.0 |
Maintain list of authorized remote maintenance personnel | CMA_C1420 - Maintain list of authorized remote maintenance personnel | Manual, Disabled | 1.1.0 |
Manage maintenance personnel | CMA_C1421 - Manage maintenance personnel | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Manual, Disabled | 1.1.0 |
1820.08j2Organizational.1-08.j 08.02 Equipment Security
ID: 1820.08j2Organizational.1-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
1821.08j2Organizational.3-08.j 08.02 Equipment Security
ID: 1821.08j2Organizational.3-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Manual, Disabled | 1.1.0 |
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Manual, Disabled | 1.1.0 |
1822.08j2Organizational.2-08.j 08.02 Equipment Security
ID: 1822.08j2Organizational.2-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate remote maintenance activities | CMA_C1402 - Automate remote maintenance activities | Manual, Disabled | 1.1.0 |
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
Produce complete records of remote maintenance activities | CMA_C1403 - Produce complete records of remote maintenance activities | Manual, Disabled | 1.1.0 |
1823.08j3Organizational.12-08.j 08.02 Equipment Security
ID: 1823.08j3Organizational.12-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
1824.08j3Organizational.3-08.j 08.02 Equipment Security
ID: 1824.08j3Organizational.3-08.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control maintenance and repair activities | CMA_0080 - Control maintenance and repair activities | Manual, Disabled | 1.1.0 |
Manage nonlocal maintenance and diagnostic activities | CMA_0364 - Manage nonlocal maintenance and diagnostic activities | Manual, Disabled | 1.1.0 |
1826.09p1Organizational.1-09.p 09.07 Media Handling
ID: 1826.09p1Organizational.1-09.p Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
1844.08b1Organizational.6-08.b 08.01 Secure Areas
ID: 1844.08b1Organizational.6-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
1845.08b1Organizational.7-08.b 08.01 Secure Areas
ID: 1845.08b1Organizational.7-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Control physical access | CMA_0081 - Control physical access | Manual, Disabled | 1.1.0 |
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
1846.08b2Organizational.8-08.b 08.01 Secure Areas
ID: 1846.08b2Organizational.8-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement physical security for offices, working areas, and secure areas | CMA_0323 - Implement physical security for offices, working areas, and secure areas | Manual, Disabled | 1.1.0 |
1847.08b2Organizational.910-08.b 08.01 Secure Areas
ID: 1847.08b2Organizational.910-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
1848.08b2Organizational.11-08.b 08.01 Secure Areas
ID: 1848.08b2Organizational.11-08.b Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
1862.08d1Organizational.3-08.d 08.01 Secure Areas
ID: 1862.08d1Organizational.3-08.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Manual, Disabled | 1.1.0 |
Run simulation attacks | CMA_0486 - Run simulation attacks | Manual, Disabled | 1.1.0 |
1862.08d3Organizational.3 08.01 Secure Areas
ID: 1862.08d3Organizational.3 Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Implement a penetration testing methodology | CMA_0306 - Implement a penetration testing methodology | Manual, Disabled | 1.1.0 |
Review and update physical and environmental policies and procedures | CMA_C1446 - Review and update physical and environmental policies and procedures | Manual, Disabled | 1.1.0 |
1892.01l1Organizational.1 01.04 Network Access Control
ID: 1892.01l1Organizational.1 Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define a physical key management process | CMA_0115 - Define a physical key management process | Manual, Disabled | 1.1.0 |
Establish and maintain an asset inventory | CMA_0266 - Establish and maintain an asset inventory | Manual, Disabled | 1.1.0 |
19 Data Protection & Privacy
1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements
ID: 1901.06d1Organizational.1-06.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Manage compliance activities | CMA_0358 - Manage compliance activities | Manual, Disabled | 1.1.0 |
1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements
ID: 1902.06d1Organizational.2-06.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define the duties of processors | CMA_0127 - Define the duties of processors | Manual, Disabled | 1.1.0 |
Document and distribute a privacy policy | CMA_0188 - Document and distribute a privacy policy | Manual, Disabled | 1.1.0 |
Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
Keep accurate accounting of disclosures of information | CMA_C1818 - Keep accurate accounting of disclosures of information | Manual, Disabled | 1.1.0 |
Make accounting of disclosures available upon request | CMA_C1820 - Make accounting of disclosures available upon request | Manual, Disabled | 1.1.0 |
Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
Record disclosures of PII to third parties | CMA_0422 - Record disclosures of PII to third parties | Manual, Disabled | 1.1.0 |
Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
Retain accounting of disclosures of information | CMA_C1819 - Retain accounting of disclosures of information | Manual, Disabled | 1.1.0 |
Train staff on PII sharing and its consequences | CMA_C1871 - Train staff on PII sharing and its consequences | Manual, Disabled | 1.1.0 |
1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements
ID: 1903.06d1Organizational.3456711-06.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Define cryptographic use | CMA_0120 - Define cryptographic use | Manual, Disabled | 1.1.0 |
Establish a data leakage management procedure | CMA_0255 - Establish a data leakage management procedure | Manual, Disabled | 1.1.0 |
Implement training for protecting authenticators | CMA_0329 - Implement training for protecting authenticators | Manual, Disabled | 1.1.0 |
Notify users of system logon or access | CMA_0382 - Notify users of system logon or access | Manual, Disabled | 1.1.0 |
Protect special information | CMA_0409 - Protect special information | Manual, Disabled | 1.1.0 |
1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements
ID: 1904.06.d2Organizational.1-06.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
1906.06.c1Organizational.2-06.c 06.01 Compliance with Legal Requirements
ID: 1906.06.c1Organizational.2-06.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Make SORNs available publicly | CMA_C1865 - Make SORNs available publicly | Manual, Disabled | 1.1.0 |
Provide formal notice to individuals | CMA_C1864 - Provide formal notice to individuals | Manual, Disabled | 1.1.0 |
Provide privacy notice to the public and to individuals | CMA_C1861 - Provide privacy notice to the public and to individuals | Manual, Disabled | 1.1.0 |
Publish SORNs for systems containing PII | CMA_C1862 - Publish SORNs for systems containing PII | Manual, Disabled | 1.1.0 |
1907.06.c1Organizational.3-06.c 06.01 Compliance with Legal Requirements
ID: 1907.06.c1Organizational.3-06.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Keep SORNs updated | CMA_C1863 - Keep SORNs updated | Manual, Disabled | 1.1.0 |
Make SORNs available publicly | CMA_C1865 - Make SORNs available publicly | Manual, Disabled | 1.1.0 |
Provide formal notice to individuals | CMA_C1864 - Provide formal notice to individuals | Manual, Disabled | 1.1.0 |
Publish SORNs for systems containing PII | CMA_C1862 - Publish SORNs for systems containing PII | Manual, Disabled | 1.1.0 |
1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements
ID: 1908.06.c1Organizational.4-06.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
Keep SORNs updated | CMA_C1863 - Keep SORNs updated | Manual, Disabled | 1.1.0 |
Make SORNs available publicly | CMA_C1865 - Make SORNs available publicly | Manual, Disabled | 1.1.0 |
Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
Provide formal notice to individuals | CMA_C1864 - Provide formal notice to individuals | Manual, Disabled | 1.1.0 |
Publish SORNs for systems containing PII | CMA_C1862 - Publish SORNs for systems containing PII | Manual, Disabled | 1.1.0 |
Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements
ID: 1911.06d1Organizational.13-06.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Manual, Disabled | 1.1.0 |
Establish terms and conditions for processing resources | CMA_C1077 - Establish terms and conditions for processing resources | Manual, Disabled | 1.1.0 |
Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Manual, Disabled | 1.1.0 |
Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Remove or redact any PII | CMA_C1833 - Remove or redact any PII | Manual, Disabled | 1.1.0 |
19134.05j1Organizational.5-05.j 05.02 External Parties
ID: 19134.05j1Organizational.5-05.j Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Designate authorized personnel to post publicly accessible information | CMA_C1083 - Designate authorized personnel to post publicly accessible information | Manual, Disabled | 1.1.0 |
Develop and establish a system security plan | CMA_0151 - Develop and establish a system security plan | Manual, Disabled | 1.1.0 |
Establish a privacy program | CMA_0257 - Establish a privacy program | Manual, Disabled | 1.1.0 |
Establish security requirements for the manufacturing of connected devices | CMA_0279 - Establish security requirements for the manufacturing of connected devices | Manual, Disabled | 1.1.0 |
Implement security engineering principles of information systems | CMA_0325 - Implement security engineering principles of information systems | Manual, Disabled | 1.1.0 |
Information security and personal data protection | CMA_0332 - Information security and personal data protection | Manual, Disabled | 1.1.0 |
Manage compliance activities | CMA_0358 - Manage compliance activities | Manual, Disabled | 1.1.0 |
Review content prior to posting publicly accessible information | CMA_C1085 - Review content prior to posting publicly accessible information | Manual, Disabled | 1.1.0 |
Review publicly accessible content for nonpublic information | CMA_C1086 - Review publicly accessible content for nonpublic information | Manual, Disabled | 1.1.0 |
Train personnel on disclosure of nonpublic information | CMA_C1084 - Train personnel on disclosure of nonpublic information | Manual, Disabled | 1.1.0 |
Update privacy plan, policies, and procedures | CMA_C1807 - Update privacy plan, policies, and procedures | Manual, Disabled | 1.1.0 |
19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements
ID: 19141.06c1Organizational.7-06.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Authorize access to security functions and information | CMA_0022 - Authorize access to security functions and information | Manual, Disabled | 1.1.0 |
Authorize and manage access | CMA_0023 - Authorize and manage access | Manual, Disabled | 1.1.0 |
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Enforce logical access | CMA_0245 - Enforce logical access | Manual, Disabled | 1.1.0 |
Establish backup policies and procedures | CMA_0268 - Establish backup policies and procedures | Manual, Disabled | 1.1.0 |
Implement transaction based recovery | CMA_C1296 - Implement transaction based recovery | Manual, Disabled | 1.1.0 |
Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
Require approval for account creation | CMA_0431 - Require approval for account creation | Manual, Disabled | 1.1.0 |
Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Review user groups and applications with access to sensitive data | CMA_0481 - Review user groups and applications with access to sensitive data | Manual, Disabled | 1.1.0 |
19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements
ID: 19142.06c1Organizational.8-06.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Control use of portable storage devices | CMA_0083 - Control use of portable storage devices | Manual, Disabled | 1.1.0 |
Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Restrict media use | CMA_0450 - Restrict media use | Manual, Disabled | 1.1.0 |
Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements
ID: 19143.06c1Organizational.9-06.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Appoint a senior information security officer | CMA_C1733 - Appoint a senior information security officer | Manual, Disabled | 1.1.0 |
Categorize information | CMA_0052 - Categorize information | Manual, Disabled | 1.1.0 |
Develop business classification schemes | CMA_0155 - Develop business classification schemes | Manual, Disabled | 1.1.0 |
Develop SSP that meets criteria | CMA_C1492 - Develop SSP that meets criteria | Manual, Disabled | 1.1.0 |
Ensure security categorization is approved | CMA_C1540 - Ensure security categorization is approved | Manual, Disabled | 1.1.0 |
Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements
ID: 19144.06c2Organizational.1-06.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements
ID: 19145.06c2Organizational.2-06.c Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Adhere to retention periods defined | CMA_0004 - Adhere to retention periods defined | Manual, Disabled | 1.1.0 |
Conduct backup of information system documentation | CMA_C1289 - Conduct backup of information system documentation | Manual, Disabled | 1.1.0 |
Manage the input, output, processing, and storage of data | CMA_0369 - Manage the input, output, processing, and storage of data | Manual, Disabled | 1.1.0 |
Perform disposition review | CMA_0391 - Perform disposition review | Manual, Disabled | 1.1.0 |
Retain security policies and procedures | CMA_0454 - Retain security policies and procedures | Manual, Disabled | 1.1.0 |
Retain terminated user data | CMA_0455 - Retain terminated user data | Manual, Disabled | 1.1.0 |
Review label activity and analytics | CMA_0474 - Review label activity and analytics | Manual, Disabled | 1.1.0 |
Verify personal data is deleted at the end of processing | CMA_0540 - Verify personal data is deleted at the end of processing | Manual, Disabled | 1.1.0 |
19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements
ID: 19242.06d1Organizational.14-06.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Manual, Disabled | 1.1.0 |
Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Manual, Disabled | 1.1.0 |
Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Remove or redact any PII | CMA_C1833 - Remove or redact any PII | Manual, Disabled | 1.1.0 |
19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements
ID: 19243.06d1Organizational.15-06.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Automate privacy controls | CMA_C1817 - Automate privacy controls | Manual, Disabled | 1.1.0 |
Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Manual, Disabled | 1.1.0 |
Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Manual, Disabled | 1.1.0 |
Implement privacy notice delivery methods | CMA_0324 - Implement privacy notice delivery methods | Manual, Disabled | 1.1.0 |
Information security and personal data protection | CMA_0332 - Information security and personal data protection | Manual, Disabled | 1.1.0 |
Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Provide privacy notice | CMA_0414 - Provide privacy notice | Manual, Disabled | 1.1.0 |
Remove or redact any PII | CMA_C1833 - Remove or redact any PII | Manual, Disabled | 1.1.0 |
Restrict communications | CMA_0449 - Restrict communications | Manual, Disabled | 1.1.0 |
19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements
ID: 19245.06d2Organizational.2-06.d Ownership: Shared
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Confirm quality and integrity of PII | CMA_C1821 - Confirm quality and integrity of PII | Manual, Disabled | 1.1.0 |
Document the legal basis for processing personal information | CMA_0206 - Document the legal basis for processing personal information | Manual, Disabled | 1.1.0 |
Evaluate and review PII holdings regularly | CMA_C1832 - Evaluate and review PII holdings regularly | Manual, Disabled | 1.1.0 |
Issue guidelines for ensuring data quality and integrity | CMA_C1824 - Issue guidelines for ensuring data quality and integrity | Manual, Disabled | 1.1.0 |
Maintain records of processing of personal data | CMA_0353 - Maintain records of processing of personal data | Manual, Disabled | 1.1.0 |
Obtain consent prior to collection or processing of personal data | CMA_0385 - Obtain consent prior to collection or processing of personal data | Manual, Disabled | 1.1.0 |
Publish Computer Matching Agreements on public website | CMA_C1829 - Publish Computer Matching Agreements on public website | Manual, Disabled | 1.1.0 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.