Azure Government compliance
Microsoft Azure Government meets demanding US government compliance requirements that mandate formal assessments and authorizations, including:
- Federal Risk and Authorization Management Program (FedRAMP)
- Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level (IL) 2, 4, and 5
Azure Government maintains the following authorizations that pertain to Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia:
- FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
- DoD IL2 Provisional Authorization (PA) issued by the Defense Information Systems Agency (DISA)
- DoD IL4 PA issued by DISA
- DoD IL5 PA issued by DISA
For links to extra Azure Government compliance assurances, see Azure compliance. For example, Azure Government can help you meet your compliance obligations with many US government requirements, including:
- Criminal Justice Information Services (CJIS)
- Internal Revenue Service (IRS) Publication 1075
- Defense Federal Acquisition Regulation Supplement (DFARS)
- International Traffic in Arms Regulations (ITAR)
- Export Administration Regulations (EAR)
- Federal Information Processing Standard (FIPS) 140
- National Institute of Standards and Technology (NIST) 800-171
- National Defense Authorization Act (NDAA) Section 889 and Section 1634
- North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Electronic Prescriptions for Controlled Substances (EPCS)
- And many more US government, global, and industry standards
For current Azure Government regions and available services, see Products available by region.
- Some Azure services deployed in Azure Government regions (US Gov Arizona, US Gov Texas, and US Gov Virginia) require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
- For DoD IL5 PA compliance scope in Azure Government DoD regions (US DoD Central and US DoD East), see Azure Government DoD regions IL5 audit scope.
Services in audit scope
For a detailed list of Azure, Dynamics 365, Microsoft 365, and Power Platform services in FedRAMP and DoD compliance audit scope, see:
You can access Azure and Azure Government audit reports and related documentation from the Service Trust Portal (STP) in the following sections:
- STP Audit Reports, which has a subsection for FedRAMP Reports.
- STP Data Protection Resources, which is further divided into Compliance Guides, FAQ and White Papers, and Pen Test and Security Assessments subsections.
You must sign in to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.
Alternatively, you can access certain audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using direct links based on your subscription (sign in required):
Azure Policy regulatory compliance built-in initiatives
For extra customer assistance, Microsoft provides Azure Policy regulatory compliance built-in initiatives, which map to compliance domains and controls in key US government standards, including:
For more regulatory compliance built-in initiatives that pertain to Azure Government, see Azure Policy samples.
Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.
- Azure compliance
- Azure and other Microsoft services compliance offerings
- Azure Policy overview
- Azure Policy regulatory compliance built-in initiatives
- Azure Government overview
- Azure Government security
- Compare Azure Government and global Azure
- Azure Government services by audit scope
- Azure Government isolation guidelines for Impact Level 5 workloads
- Azure Government DoD overview
Submit and view feedback for