Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers
Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Arc-enabled servers. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.
The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.
Important
Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.
Australian Government ISM PROTECTED
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Guidelines for Personnel Security - Access to systems and their resources | 415 | User identification - 415 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for System Hardening - Authentication hardening | 421 | Single-factor authentication - 421 | Windows machines should meet requirements for 'Security Settings - Account Policies' | 3.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 445 | Privileged access to systems - 445 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Cryptography - Transport Layer Security | 1139 | Using Transport Layer Security - 1139 | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Guidelines for Database Systems - Database servers | 1277 | Communications between database servers and web servers - 1277 | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Guidelines for Personnel Security - Access to systems and their resources | 1503 | Standard access to systems - 1503 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1507 | Privileged access to systems - 1507 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for Personnel Security - Access to systems and their resources | 1508 | Privileged access to systems - 1508 | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Guidelines for System Hardening - Authentication hardening | 1546 | Authenticating to systems - 1546 | Audit Linux machines that have accounts without passwords | 3.1.0 |
Canada Federal PBMM
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.
CIS Microsoft Azure Foundations Benchmark 2.0.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 2.1 | 2.1.13 | Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | Machines should be configured to periodically check for missing system updates | 3.7.0 |
| 7 | 7.6 | Ensure that Endpoint Protection for all Virtual Machines is installed | Endpoint protection should be installed on your machines | 1.0.0 |
CMMC Level 3
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.2.008 | Use non-privileged accounts or roles when accessing nonsecurity functions. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Access Control | AC.2.008 | Use non-privileged accounts or roles when accessing nonsecurity functions. | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | AC.2.013 | Monitor and control remote access sessions. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Access Control | AC.2.016 | Control the flow of CUI in accordance with approved authorizations. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| Access Control | AC.3.017 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Access Control | AC.3.018 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | 3.0.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Access Control | AC.3.021 | Authorize remote execution of privileged commands and remote access to security-relevant information. | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| Configuration Management | CM.2.061 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Configuration Management | CM.2.062 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | Windows machines should meet requirements for 'System Audit Policies - Privilege Use' | 3.0.0 |
| Configuration Management | CM.2.063 | Control and monitor user-installed software. | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| Configuration Management | CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Configuration Management | CM.2.065 | Track, review, approve or disapprove, and log changes to organizational systems. | Windows machines should meet requirements for 'System Audit Policies - Policy Change' | 3.0.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.1.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| Identification and Authentication | IA.1.077 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not have the password complexity setting enabled | 2.0.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not restrict the minimum password length to specified number of characters | 2.1.0 |
| Identification and Authentication | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | 2.1.0 |
| Identification and Authentication | IA.2.079 | Prohibit password reuse for a specified number of generations. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| Identification and Authentication | IA.2.081 | Store and transmit only cryptographically-protected passwords. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | IA.3.084 | Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| System and Communications Protection | SC.3.177 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| System and Communications Protection | SC.3.181 | Separate user functionality from system management functionality. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| System and Communications Protection | SC.3.185 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| System and Communications Protection | SC.3.190 | Protect the authenticity of communications sessions. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
FedRAMP High
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.
FedRAMP Moderate
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.
HIPAA HITRUST 9.2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| User Identification and Authentication | 11210.01q2Organizational.10 - 01.q | Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| User Identification and Authentication | 11211.01q2Organizational.11 - 01.q | Signed electronic records shall contain information associated with the signing in human-readable format. | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Windows machines should meet requirements for 'Security Options - Audit' | 3.0.0 |
| 06 Configuration Management | 0605.10h1System.12-10.h | 0605.10h1System.12-10.h 10.04 Security of System Files | Windows machines should meet requirements for 'System Audit Policies - Account Management' | 3.0.0 |
| 06 Configuration Management | 0635.10k1Organizational.12-10.k | 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0636.10k2Organizational.1-10.k | 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0637.10k2Organizational.2-10.k | 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0638.10k2Organizational.34569-10.k | 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0639.10k2Organizational.78-10.k | 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0640.10k2Organizational.1012-10.k | 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0641.10k2Organizational.11-10.k | 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0642.10k3Organizational.12-10.k | 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0643.10k3Organizational.3-10.k | 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 06 Configuration Management | 0644.10k3Organizational.4-10.k | 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes | Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' | 3.0.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Windows machines should meet requirements for 'Security Options - Microsoft Network Server' | 3.0.0 |
| 08 Network Protection | 0858.09m1Organizational.4-09.m | 0858.09m1Organizational.4-09.m 09.06 Network Security Management | Windows machines should meet requirements for 'Windows Firewall Properties' | 3.0.0 |
| 08 Network Protection | 0861.09m2Organizational.67-09.m | 0861.09m2Organizational.67-09.m 09.06 Network Security Management | Windows machines should meet requirements for 'Security Options - Network Access' | 3.0.0 |
| 09 Transmission Protection | 0945.09y1Organizational.3-09.y | 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services | Audit Windows machines that do not contain the specified certificates in Trusted Root | 3.0.0 |
| 11 Access Control | 1123.01q1System.2-01.q | 1123.01q1System.2-01.q 01.05 Operating System Access Control | Audit Windows machines that have extra accounts in the Administrators group | 2.0.0 |
| 11 Access Control | 1125.01q2System.1-01.q | 1125.01q2System.1-01.q 01.05 Operating System Access Control | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| 11 Access Control | 1127.01q2System.3-01.q | 1127.01q2System.3-01.q 01.05 Operating System Access Control | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| 11 Access Control | 1148.01c2System.78-01.c | 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems | Windows machines should meet requirements for 'Security Options - Accounts' | 3.0.0 |
| 12 Audit Logging & Monitoring | 12102.09ab1Organizational.4-09.ab | 12102.09ab1Organizational.4-09.ab 09.10 Monitoring | Audit Windows machines on which the Log Analytics agent is not connected as expected | 2.0.0 |
| 12 Audit Logging & Monitoring | 1217.09ab3System.3-09.ab | 1217.09ab3System.3-09.ab 09.10 Monitoring | Audit Windows machines on which the Log Analytics agent is not connected as expected | 2.0.0 |
| 12 Audit Logging & Monitoring | 1232.09c3Organizational.12-09.c | 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures | Windows machines should meet requirements for 'User Rights Assignment' | 3.0.0 |
| 12 Audit Logging & Monitoring | 1277.09c2Organizational.4-09.c | 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures | Windows machines should meet requirements for 'Security Options - User Account Control' | 3.0.0 |
| 16 Business Continuity & Disaster Recovery | 1637.12b2Organizational.2-12.b | 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management | Windows machines should meet requirements for 'Security Options - Recovery console' | 3.0.0 |
IRS 1075 September 2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.
ISO 27001:2013
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.
Microsoft cloud security benchmark
The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Identity Management | IM-6 | Use strong authentication controls | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | Linux machines should have Log Analytics agent installed on Azure Arc | 1.1.0 |
| Logging and Threat Detection | LT-5 | Centralize security log management and analysis | Windows machines should have Log Analytics agent installed on Azure Arc | 2.0.0 |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Posture and Vulnerability Management | PV-4 | Audit and enforce secure configurations for compute resources | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | [Preview]: System updates should be installed on your machines (powered by Update Center) | 1.0.0-preview |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | Machines should be configured to periodically check for missing system updates | 3.7.0 |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Endpoint Security | ES-2 | Use modern anti-malware software | Endpoint protection health issues should be resolved on your machines | 1.0.0 |
| Endpoint Security | ES-2 | Use modern anti-malware software | Endpoint protection should be installed on your machines | 1.0.0 |
| Endpoint Security | ES-2 | Use modern anti-malware software | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Endpoint Security | ES-3 | Ensure anti-malware software and signatures are updated | Endpoint protection health issues should be resolved on your machines | 1.0.0 |
NIST SP 800-171 R2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Audit Linux machines that have accounts without passwords | 3.1.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines missing any of specified members in the Administrators group | 2.0.0 |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Audit Windows machines that have the specified members in the Administrators group | 2.0.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| System and Information Integrity | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.1.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.1.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Identification and Authentication | 3.5.4 | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | Windows machines should meet requirements for 'Security Options - Network Security' | 3.0.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not have the password complexity setting enabled | 2.0.0 |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Audit Windows machines that do not restrict the minimum password length to specified number of characters | 2.1.0 |
| Identification and Authentication | 3.5.8 | Prohibit password reuse for a specified number of generations. | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | 2.1.0 |
NIST SP 800-53 Rev. 4
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.
NIST SP 800-53 Rev. 5
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.
NL BIO Cloud Theme
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview |
PCI DSS 3.2.1
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.
PCI DSS v4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | 2.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Audit Windows machines that do not have the maximum password age set to specified number of days | 2.1.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.3.6 | Strong authentication for users and administrators is established and managed | Audit Windows machines that do not restrict the minimum password length to specified number of characters | 2.1.0 |
Reserve Bank of India - IT Framework for NBFC
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| IT Governance | 1 | IT Governance-1 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
| Information and Cyber Security | 3.3 | Vulnerability Management-3.3 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 |
Reserve Bank of India IT Framework for Banks v2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | 1.0.1-preview | |
| Maintenance, Monitoring, And Analysis Of Audit Logs | Maintenance, Monitoring, And Analysis Of Audit Logs-16.2 | [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | 1.0.1-preview | |
| Authentication Framework For Customers | Authentication Framework For Customers-9.1 | Authentication to Linux machines should require SSH keys | 3.2.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | Endpoint protection health issues should be resolved on your machines | 1.0.0 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.1 | Endpoint protection should be installed on your machines | 1.0.0 | |
| Audit Log Settings | Audit Log Settings-17.1 | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 | |
| Preventing Execution Of Unauthorised Software | Security Update Management-2.3 | SQL servers on machines should have vulnerability findings resolved | 1.0.0 | |
| Secure Configuration | Secure Configuration-5.1 | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 | |
| Secure Mail And Messaging Systems | Secure Mail And Messaging Systems-10.1 | Windows machines should be configured to use secure communication protocols | 4.1.1 | |
| Audit Log Settings | Audit Log Settings-17.1 | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
SWIFT CSP-CSCF v2021
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.
SWIFT CSP-CSCF v2022
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2022. For more information about this compliance standard, see SWIFT CSP CSCF v2022.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Authentication to Linux machines should require SSH keys | 3.2.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.1 | Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.2 | Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. | Audit Windows VMs with a pending reboot | 2.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Audit Linux machines that do not have the passwd file permissions set to 0644 | 3.1.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Audit Windows machines that contain certificates expiring within the specified number of days | 2.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.3 | Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4A | Back-office Data Flow Security | Authentication to Linux machines should require SSH keys | 3.2.0 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.4A | Back-office Data Flow Security | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| 2. Reduce Attack Surface and Vulnerabilities | 2.6 | Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications | Windows machines should meet requirements for 'Security Options - Interactive Logon' | 3.0.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Linux machines that allow remote connections from accounts without passwords | 3.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Linux machines that have accounts without passwords | 3.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | 2.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that do not have the maximum password age set to specified number of days | 2.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that do not have the minimum password age set to specified number of days | 2.1.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that do not have the password complexity setting enabled | 2.0.0 |
| 4. Prevent Compromise of Credentials | 4.1 | Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. | Audit Windows machines that do not restrict the minimum password length to specified number of characters | 2.1.0 |
| 5. Manage Identities and Segregate Privileges | 5.1 | Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. | Audit Windows machines that contain certificates expiring within the specified number of days | 2.0.0 |
| 5. Manage Identities and Segregate Privileges | 5.4 | Protect physically and logically the repository of recorded passwords. | Audit Windows machines that do not store passwords using reversible encryption | 2.0.0 |
System and Organization Controls (SOC) 2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for System and Organization Controls (SOC) 2. For more information about this compliance standard, see System and Organization Controls (SOC) 2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Logical and Physical Access Controls | CC6.1 | Logical access security software, infrastructure, and architectures | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Authentication to Linux machines should require SSH keys | 3.2.0 |
| Logical and Physical Access Controls | CC6.6 | Security measures against threats outside system boundaries | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Logical and Physical Access Controls | CC6.7 | Restrict the movement of information to authorized users | Windows machines should be configured to use secure communication protocols | 4.1.1 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Endpoint protection health issues should be resolved on your machines | 1.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Endpoint protection should be installed on your machines | 1.0.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Logical and Physical Access Controls | CC6.8 | Prevent or detect against unauthorized or malicious software | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
| System Operations | CC7.2 | Monitor system components for anomalous behavior | Windows Defender Exploit Guard should be enabled on your machines | 2.0.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Linux machines should meet requirements for the Azure compute security baseline | 2.2.0 |
| Change Management | CC8.1 | Changes to infrastructure, data, and software | Windows machines should meet requirements of the Azure compute security baseline | 2.0.0 |
UK OFFICIAL and UK NHS
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.
Next steps
- Learn more about Azure Policy Regulatory Compliance.
- See the built-ins on the Azure Policy GitHub repo.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for