Azure Government compliance

Azure Security and Compliance Blueprint

Azure Security and Compliance Blueprints include guidance documents and automation templates to help customers deploy cloud-based architectures that offer solutions to scenarios that have accreditation or compliance requirements. Azure Security and Compliance Blueprints for government are designed to facilitate the secure and compliant use of Azure for government agencies and third-party providers building on behalf of government. Azure Government has received a FedRAMP Provisional Authority to Operate (P-ATO) and DoD Provisional Authorization (PA). These authorizations reduce the scope of customer-responsibility security controls in Azure-based systems. Inheriting security control implementations from Azure Government allows customers to focus on control implementations specific to their IaaS, PaaS, or SaaS environments built in Azure. Azure Security and Compliance Blueprint are available on the Service Trust Portal.

Azure Security and Compliance Blueprint Customer Responsibility Matrix

The Azure Security and Compliance Blueprint Customer Responsibility Matrix (CRM) is designed to aid Azure Government customers implementing and documenting system-specific security controls implemented within Azure. The CRM lists all NIST SP 800-53 security control requirements for FedRAMP and DISA baselines that include a customer implementation requirement. This includes controls with a shared responsibility between Azure and Azure customers and controls that must be fully implemented by Azure customers. Where appropriate, controls are delineated at a control sub-requirement granularity to provide specific guidance.

The CRM is available as Microsoft Excel workbook for the FedRAMP Moderate and High baselines, the DISA Cloud Computing SRG L4 and L5 baselines, and the NIST Cybersecurity Framework (CSF). The CRM is available for download from the Service Trust Portal.

Azure Security and Compliance Blueprint System Security Plan template

The Azure Security and Compliance Blueprint System Security Plan (SSP) template is designed for use in developing an SSP that documents both customer security control implementations and controls inherited from Azure. Controls which include a customer responsibility contain guidance on documenting control implementation with a thorough and compliant response. Azure inheritance sections document how security controls are implemented by Azure on behalf of the customer.

The SSP is available for the FedRAMP Moderate and High baselines, and the DISA Cloud Computing SRG L4 and L5 baselines. The SSP is available for download from the Service Trust Portal.

General Data Protection Regulation (GDPR) Data Subject Requests (DSRs) on Azure Government

Azure tenant administrators can use the User Privacy blade in the Azure portal to export and/or delete personal data generated during a customer's use of Azure Government services. For more information about Data Subject Requests, see Data Subject Requests for the GDPR.

Next steps

For inquiries related to Azure Security and Compliance Blueprints, FedRAMP, DoD, or Agency ATO processes, or other compliance assistance; or to provide feedback, email azureblueprint@microsoft.com.

Visit the Azure Security and Complaince Blueprint page on the Service Trust Portal.

Microsoft Azure Government Blog