Azure Policy Regulatory Compliance controls for Azure Resource Manager

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Resource Manager. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for System Hardening - Operating system hardening 380 Operating system configuration - 380 Deprecated accounts should be removed from your subscription 3.0.0
Guidelines for System Hardening - Operating system hardening 380 Operating system configuration - 380 Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 414 User identification - 414 MFA should be enabled accounts with write permissions on your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 414 User identification - 414 MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 414 User identification - 414 MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 430 Suspension of access to systems - 430 Deprecated accounts should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 430 Suspension of access to systems - 430 Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 441 Temporary access to systems - 441 Deprecated accounts should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 441 Temporary access to systems - 441 Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 441 Temporary access to systems - 441 External accounts with owner permissions should be removed from your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 441 Temporary access to systems - 441 External accounts with write permissions should be removed from your subscription 3.0.0
Guidelines for Media - Media usage 947 Using media for data transfers - 947 MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Guidelines for System Hardening - Authentication hardening 1173 Multi-factor authentication - 1173 MFA should be enabled accounts with write permissions on your subscription 3.0.0
Guidelines for System Hardening - Authentication hardening 1173 Multi-factor authentication - 1173 MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Guidelines for System Hardening - Authentication hardening 1384 Multi-factor authentication - 1384 MFA should be enabled accounts with write permissions on your subscription 3.0.0
Guidelines for System Hardening - Authentication hardening 1384 Multi-factor authentication - 1384 MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Guidelines for System Hardening - Authentication hardening 1384 Multi-factor authentication - 1384 MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 A maximum of 3 owners should be designated for your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 There should be more than one owner assigned to your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 A maximum of 3 owners should be designated for your subscription 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 There should be more than one owner assigned to your subscription 3.0.0
Guidelines for System Management - Data backup and restoration 1511 Performing backups - 1511 Audit virtual machines without disaster recovery configured 1.0.0

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identity Management IM-2 Manage application identities securely and automatically Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Identity Management IM-4 Use strong authentication controls for all Azure Active Directory based access MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identity Management IM-4 Use strong authentication controls for all Azure Active Directory based access MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identity Management IM-4 Use strong authentication controls for all Azure Active Directory based access MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Privileged Access PA-1 Protect and limit highly privileged users A maximum of 3 owners should be designated for your subscription 3.0.0
Privileged Access PA-1 Protect and limit highly privileged users Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Privileged Access PA-1 Protect and limit highly privileged users External accounts with owner permissions should be removed from your subscription 3.0.0
Privileged Access PA-1 Protect and limit highly privileged users There should be more than one owner assigned to your subscription 3.0.0
Privileged Access PA-3 Review and reconcile user access regularly Deprecated accounts should be removed from your subscription 3.0.0
Privileged Access PA-3 Review and reconcile user access regularly Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Privileged Access PA-3 Review and reconcile user access regularly External accounts with owner permissions should be removed from your subscription 3.0.0
Privileged Access PA-3 Review and reconcile user access regularly External accounts with read permissions should be removed from your subscription 3.0.0
Privileged Access PA-3 Review and reconcile user access regularly External accounts with write permissions should be removed from your subscription 3.0.0
Data Protection DP-2 Protect sensitive data Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Data Protection DP-2 Protect sensitive data Azure Defender for SQL servers on machines should be enabled 1.0.2
Data Protection DP-2 Protect sensitive data Azure Defender for Storage should be enabled 1.0.3
Data Protection DP-3 Monitor for unauthorized transfer of sensitive data Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Data Protection DP-3 Monitor for unauthorized transfer of sensitive data Azure Defender for SQL servers on machines should be enabled 1.0.2
Data Protection DP-3 Monitor for unauthorized transfer of sensitive data Azure Defender for Storage should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for App Service should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for container registries should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for DNS should be enabled 1.0.0-preview
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for Key Vault should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for Kubernetes should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for Resource Manager should be enabled 1.0.0
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for servers should be enabled 1.0.3
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for SQL servers on machines should be enabled 1.0.2
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for Storage should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for App Service should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for container registries should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for DNS should be enabled 1.0.0-preview
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for Key Vault should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for Kubernetes should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for Resource Manager should be enabled 1.0.0
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for servers should be enabled 1.0.3
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for SQL servers on machines should be enabled 1.0.2
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for Storage should be enabled 1.0.3
Logging and Threat Detection LT-5 Centralize security log management and analysis Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Incident Response IR-2 Preparation - setup incident notification Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-2 Preparation - setup incident notification Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-2 Preparation - setup incident notification Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for container registries should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for DNS should be enabled 1.0.0-preview
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for servers should be enabled 1.0.3
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for container registries should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for DNS should be enabled 1.0.0-preview
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for servers should be enabled 1.0.3
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for Storage should be enabled 1.0.3
Endpoint Security ES-1 Use Endpoint Detection and Response (EDR) Azure Defender for servers should be enabled 1.0.3

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Logging and Monitoring 2.2 Configure central security log management Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Logging and Monitoring 2.2 Configure central security log management Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
Logging and Monitoring 2.2 Configure central security log management Azure Monitor should collect activity logs from all regions 2.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Identity and Access Control 3.1 Maintain an inventory of administrative accounts A maximum of 3 owners should be designated for your subscription 3.0.0
Identity and Access Control 3.1 Maintain an inventory of administrative accounts Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.1 Maintain an inventory of administrative accounts External accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.1 Maintain an inventory of administrative accounts There should be more than one owner assigned to your subscription 3.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts A maximum of 3 owners should be designated for your subscription 3.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts There should be more than one owner assigned to your subscription 3.0.0
Identity and Access Control 3.5 Use multi-factor authentication for all Azure Active Directory based access MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identity and Access Control 3.5 Use multi-factor authentication for all Azure Active Directory based access MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identity and Access Control 3.5 Use multi-factor authentication for all Azure Active Directory based access MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access Deprecated accounts should be removed from your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access External accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access External accounts with read permissions should be removed from your subscription 3.0.0
Identity and Access Control 3.10 Regularly review and reconcile user access External accounts with write permissions should be removed from your subscription 3.0.0
Data Protection 4.9 Log and alert on changes to critical Azure resources Azure Monitor should collect activity logs from all regions 2.0.0
Incident Response 10.4 Provide security incident contact details and configure alert notifications for security incidents Subscriptions should have a contact email address for security issues 1.0.1

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC-5 Separation of Duties A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-5 Separation of Duties There should be more than one owner assigned to your subscription 3.0.0
Access Control AC-6 Least Privilege A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-6 Least Privilege There should be more than one owner assigned to your subscription 3.0.0
Contingency Planning CP-7 Alternative Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication IA-2(1) Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA-2(1) Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts MFA should be enabled on accounts with owner permissions on your subscription 3.0.0

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identity and Access Management 1.1 Ensure that multi-factor authentication is enabled for all privileged users MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identity and Access Management 1.1 Ensure that multi-factor authentication is enabled for all privileged users MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identity and Access Management 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identity and Access Management 1.3 Ensure that there are no guest users External accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Management 1.3 Ensure that there are no guest users External accounts with read permissions should be removed from your subscription 3.0.0
Identity and Access Management 1.3 Ensure that there are no guest users External accounts with write permissions should be removed from your subscription 3.0.0
Security Center 2.1 Ensure that standard pricing tier is selected Azure Defender for App Service should be enabled 1.0.3
Security Center 2.1 Ensure that standard pricing tier is selected Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Security Center 2.1 Ensure that standard pricing tier is selected Azure Defender for container registries should be enabled 1.0.3
Security Center 2.1 Ensure that standard pricing tier is selected Azure Defender for Key Vault should be enabled 1.0.3
Security Center 2.1 Ensure that standard pricing tier is selected Azure Defender for Kubernetes should be enabled 1.0.3
Security Center 2.1 Ensure that standard pricing tier is selected Azure Defender for servers should be enabled 1.0.3
Security Center 2.1 Ensure that standard pricing tier is selected Azure Defender for SQL servers on machines should be enabled 1.0.2
Security Center 2.1 Ensure that standard pricing tier is selected Azure Defender for Storage should be enabled 1.0.3
Security Center 2.2 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Security Center 2.16 Ensure that 'Security contact emails' is set Subscriptions should have a contact email address for security issues 1.0.1
Security Center 2.18 Ensure that 'Send email notification for high severity alerts' is set to 'On' Email notification for high severity alerts should be enabled 1.0.1
Security Center 2.19 Ensure that 'Send email also to subscription owners' is set to 'On' Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Logging and Monitoring 5.1.1 Ensure that a Log Profile exists Azure subscriptions should have a log profile for Activity Log 1.0.0
Logging and Monitoring 5.1.2 Ensure that Activity Log Retention is set 365 days or greater Activity log should be retained for at least one year 1.0.0
Logging and Monitoring 5.1.3 Ensure audit profile captures all the activities Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
Logging and Monitoring 5.1.4 Ensure the log profile captures activity logs for all regions including global Azure Monitor should collect activity logs from all regions 2.0.0
Logging and Monitoring 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment An activity log alert should exist for specific Policy operations 3.0.0
Logging and Monitoring 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution An activity log alert should exist for specific Security operations 1.0.0
Logging and Monitoring 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution An activity log alert should exist for specific Security operations 1.0.0
Logging and Monitoring 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy An activity log alert should exist for specific Security operations 1.0.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identity and Access Management 1.1 Ensure that multi-factor authentication is enabled for all privileged users MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identity and Access Management 1.1 Ensure that multi-factor authentication is enabled for all privileged users MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identity and Access Management 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identity and Access Management 1.3 Ensure guest users are reviewed on a monthly basis External accounts with owner permissions should be removed from your subscription 3.0.0
Identity and Access Management 1.3 Ensure guest users are reviewed on a monthly basis External accounts with read permissions should be removed from your subscription 3.0.0
Identity and Access Management 1.3 Ensure guest users are reviewed on a monthly basis External accounts with write permissions should be removed from your subscription 3.0.0
Security Center 2.1 Ensure that Azure Defender is set to On for Servers Azure Defender for servers should be enabled 1.0.3
Security Center 2.2 Ensure that Azure Defender is set to On for App Service Azure Defender for App Service should be enabled 1.0.3
Security Center 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Security Center 2.4 Ensure that Azure Defender is set to On for SQL servers on machines Azure Defender for SQL servers on machines should be enabled 1.0.2
Security Center 2.5 Ensure that Azure Defender is set to On for Storage Azure Defender for Storage should be enabled 1.0.3
Security Center 2.6 Ensure that Azure Defender is set to On for Kubernetes Azure Defender for Kubernetes should be enabled 1.0.3
Security Center 2.7 Ensure that Azure Defender is set to On for Container Registries Azure Defender for container registries should be enabled 1.0.3
Security Center 2.8 Ensure that Azure Defender is set to On for Key Vault Azure Defender for Key Vault should be enabled 1.0.3
Security Center 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Security Center 2.13 Ensure 'Additional email addresses' is configured with a security contact email Subscriptions should have a contact email address for security issues 1.0.1
Security Center 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High' Email notification for high severity alerts should be enabled 1.0.1
Logging and Monitoring 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment An activity log alert should exist for specific Policy operations 3.0.0
Logging and Monitoring 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment An activity log alert should exist for specific Policy operations 3.0.0
Logging and Monitoring 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.6 Ensure that activity log alert exists for the Delete Network Security Group Rule An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution An activity log alert should exist for specific Security operations 1.0.0
Logging and Monitoring 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution An activity log alert should exist for specific Security operations 1.0.0
Logging and Monitoring 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule An activity log alert should exist for specific Administrative operations 1.0.0
Logging and Monitoring 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule An activity log alert should exist for specific Administrative operations 1.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC.2.007 Employ the principle of least privilege, including for specific security functions and privileged accounts. External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC.2.007 Employ the principle of least privilege, including for specific security functions and privileged accounts. External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. There should be more than one owner assigned to your subscription 3.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Administrative operations 1.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. An activity log alert should exist for specific Security operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Policy operations 3.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. An activity log alert should exist for specific Security operations 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure Monitor should collect activity logs from all regions 2.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure subscriptions should have a log profile for Activity Log 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Activity log should be retained for at least one year 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Administrative operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Policy operations 3.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. An activity log alert should exist for specific Security operations 1.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure Monitor should collect activity logs from all regions 2.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure subscriptions should have a log profile for Activity Log 1.0.0
Audit and Accountability AU.3.049 Protect audit information and audit logging tools from unauthorized access, modification, and deletion. An activity log alert should exist for specific Policy operations 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. An activity log alert should exist for specific Security operations 1.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. An activity log alert should exist for specific Security operations 1.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. An activity log alert should exist for specific Policy operations 3.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Policy operations 3.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. An activity log alert should exist for specific Security operations 1.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Azure Monitor should collect activity logs from all regions 2.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Azure subscriptions should have a log profile for Activity Log 1.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA.3.083 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA.3.083 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA.3.083 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Incident Response IR.2.092 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR.2.092 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR.2.092 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR.2.093 Detect and report events. An activity log alert should exist for specific Security operations 1.0.0
Incident Response IR.2.093 Detect and report events. Azure Defender for App Service should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR.2.093 Detect and report events. Azure Defender for container registries should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Azure Defender for servers should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR.2.093 Detect and report events. Azure Defender for Storage should be enabled 1.0.3
Incident Response IR.2.093 Detect and report events. Email notification for high severity alerts should be enabled 1.0.1
Recovery RE.2.137 Regularly perform and test data back-ups. Audit virtual machines without disaster recovery configured 1.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Audit virtual machines without disaster recovery configured 1.0.0
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for container registries should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for Kubernetes should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for servers should be enabled 1.0.3
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for Storage should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for container registries should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for Kubernetes should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for servers should be enabled 1.0.3
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for Storage should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for container registries should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for Kubernetes should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for servers should be enabled 1.0.3
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for Storage should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for App Service should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for container registries should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for Key Vault should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for Kubernetes should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for servers should be enabled 1.0.3
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Azure Defender for Storage should be enabled 1.0.3
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. A maximum of 3 owners should be designated for your subscription 3.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. External accounts with owner permissions should be removed from your subscription 3.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. There should be more than one owner assigned to your subscription 3.0.0
System and Communications Protection SC.3.187 Establish and manage cryptographic keys for cryptography employed in organizational systems. Azure Defender for Key Vault should be enabled 1.0.3
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. MFA should be enabled accounts with write permissions on your subscription 3.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for container registries should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for Kubernetes should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Policy operations 3.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. An activity log alert should exist for specific Security operations 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for container registries should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for Kubernetes should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Monitor should collect activity logs from all regions 2.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure subscriptions should have a log profile for Activity Log 1.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Email notification to subscription owner for high severity alerts should be enabled 2.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Subscriptions should have a contact email address for security issues 1.0.1
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Activity log should be retained for at least one year 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Administrative operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Policy operations 3.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. An activity log alert should exist for specific Security operations 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure Monitor should collect activity logs from all regions 2.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure subscriptions should have a log profile for Activity Log 1.0.0
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Email notification to subscription owner for high severity alerts should be enabled 2.0.0

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC-2 (7) Role-based Schemes Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for App Service should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for container registries should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for DNS should be enabled 1.0.0-preview
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Key Vault should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Kubernetes should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Resource Manager should be enabled 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for servers should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL servers on machines should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Storage should be enabled 1.0.3
Access Control AC-3 Access Enforcement MFA should be enabled accounts with write permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Access Control AC-5 Separation of Duties There should be more than one owner assigned to your subscription 3.0.0
Access Control AC-6 Least Privilege A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-6 (7) Review of User Privileges A maximum of 3 owners should be designated for your subscription 3.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-12 Audit Generation Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-12 Audit Generation Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-12 Audit Generation Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-12 Audit Generation Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Storage should be enabled 1.0.3
Configuration Management CM-7 Least Functionality Azure Defender for servers should be enabled 1.0.3
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Identification and Authentication IA-2 (1) Network Access to Privileged Accounts MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA-2 (1) Network Access to Privileged Accounts MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA-2 (2) Network Access to Non-privileged Accounts MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA-4 Identifier Management Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-4 Incident Handling Azure Defender for container registries should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for DNS should be enabled 1.0.0-preview
Incident Response IR-4 Incident Handling Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for servers should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-4 Incident Handling Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-4 Incident Handling Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-4 Incident Handling Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-4 Incident Handling Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for container registries should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for DNS should be enabled 1.0.0-preview
Incident Response IR-5 Incident Monitoring Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-5 Incident Monitoring Azure Defender for servers should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-5 Incident Monitoring Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-5 Incident Monitoring Subscriptions should have a contact email address for security issues 1.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for container registries should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for DNS should be enabled 1.0.0-preview
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Kubernetes should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Resource Manager should be enabled 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for servers should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Storage should be enabled 1.0.3
System and Communications Protection SC-3 Security Function Isolation Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI-2 Flaw Remediation Azure Defender for container registries should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for DNS should be enabled 1.0.0-preview
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Kubernetes should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Resource Manager should be enabled 1.0.0
System and Information Integrity SI-2 Flaw Remediation Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI-3 Malicious Code Protection Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-3 (1) Central Management Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
System and Information Integrity SI-4 Information System Monitoring Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI-4 Information System Monitoring Azure Defender for container registries should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for DNS should be enabled 1.0.0-preview
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Kubernetes should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Resource Manager should be enabled 1.0.0
System and Information Integrity SI-4 Information System Monitoring Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI-16 Memory Protection Azure Defender for servers should be enabled 1.0.3

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC-2 (7) Role-based Schemes Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for App Service should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for container registries should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for DNS should be enabled 1.0.0-preview
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Key Vault should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Kubernetes should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Resource Manager should be enabled 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for servers should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL servers on machines should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Storage should be enabled 1.0.3
Access Control AC-3 Access Enforcement MFA should be enabled accounts with write permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Access Control AC-5 Separation of Duties There should be more than one owner assigned to your subscription 3.0.0
Access Control AC-6 Least Privilege A maximum of 3 owners should be designated for your subscription 3.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-12 Audit Generation Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-12 Audit Generation Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-12 Audit Generation Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-12 Audit Generation Azure Defender for Storage should be enabled 1.0.3
Configuration Management CM-7 Least Functionality Azure Defender for servers should be enabled 1.0.3
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Identification and Authentication IA-2 (1) Network Access to Privileged Accounts MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA-2 (1) Network Access to Privileged Accounts MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA-2 (2) Network Access to Non-privileged Accounts MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA-4 Identifier Management Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-4 Incident Handling Azure Defender for container registries should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for DNS should be enabled 1.0.0-preview
Incident Response IR-4 Incident Handling Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for servers should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-4 Incident Handling Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-4 Incident Handling Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-4 Incident Handling Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-4 Incident Handling Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for container registries should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for DNS should be enabled 1.0.0-preview
Incident Response IR-5 Incident Monitoring Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-5 Incident Monitoring Azure Defender for servers should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-5 Incident Monitoring Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-5 Incident Monitoring Subscriptions should have a contact email address for security issues 1.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for container registries should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for DNS should be enabled 1.0.0-preview
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Kubernetes should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Resource Manager should be enabled 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for servers should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI-2 Flaw Remediation Azure Defender for container registries should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for DNS should be enabled 1.0.0-preview
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Kubernetes should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Resource Manager should be enabled 1.0.0
System and Information Integrity SI-2 Flaw Remediation Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI-3 Malicious Code Protection Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-3 (1) Central Management Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
System and Information Integrity SI-4 Information System Monitoring Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI-4 Information System Monitoring Azure Defender for container registries should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for DNS should be enabled 1.0.0-preview
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Kubernetes should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Resource Manager should be enabled 1.0.0
System and Information Integrity SI-4 Information System Monitoring Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI-16 Memory Protection Azure Defender for servers should be enabled 1.0.3

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Privilege Management 1144.01c1System.4 - 01.c The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information. A maximum of 3 owners should be designated for your subscription 3.0.0
Privilege Management 1145.01c2System.1 - 01.c Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. There should be more than one owner assigned to your subscription 3.0.0
Privilege Management 1146.01c2System.23 - 01.c The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. External accounts with owner permissions should be removed from your subscription 3.0.0
Privilege Management 1147.01c2System.456 - 01.c Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized. Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Privilege Management 1151.01c3System.1 - 01.c The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users. A maximum of 3 owners should be designated for your subscription 3.0.0
Privilege Management 1152.01c3System.2 - 01.c The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. There should be more than one owner assigned to your subscription 3.0.0
Privilege Management 1154.01c3System.4 - 01.c Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply. A maximum of 3 owners should be designated for your subscription 3.0.0
User Authentication for External Connections 1116.01j1Organizational.145 - 01.j Strong authentication methods such as multi-factor, Radius or Kerberos (for privileged access) and CHAP (for encryption of credentials for dialup methods) are implemented for all external connections to the organizations network. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
User Authentication for External Connections 1117.01j1Organizational.23 - 01.j Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use. MFA should be enabled accounts with write permissions on your subscription 3.0.0
User Authentication for External Connections 1118.01j2Organizational.124 - 01.j Organizations implement encryption (e.g.  VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors or third party (e.g., vendors). MFA should be enabled on accounts with read permissions on your subscription 3.0.0
User Authentication for External Connections 1121.01j3Organizational.2 - 01.j Remote administration sessions are authorized, encrypted, and employ increased security measures. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
User Authentication for External Connections 1173.01j1Organizational.6 - 01.j If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization. MFA should be enabled accounts with write permissions on your subscription 3.0.0
User Authentication for External Connections 1174.01j1Organizational.7 - 01.j The organization protects wireless access to systems containing sensitive information by authenticating both users and devices. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
User Authentication for External Connections 1176.01j2Organizational.5 - 01.j The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
User Authentication for External Connections 1177.01j2Organizational.6 - 01.j User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually. MFA should be enabled accounts with write permissions on your subscription 3.0.0
User Authentication for External Connections 1178.01j2Organizational.7 - 01.j Node authentication, including cryptographic techniques (e.g., machine certificates), serves as an alternative means of authenticating groups of remote users where they are connected to a secure, shared computer facility. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
User Identification and Authentication 11109.01q1Organizational.57 - 01.q The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
User Identification and Authentication 11110.01q1Organizational.6 - 01.q Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated. MFA should be enabled accounts with write permissions on your subscription 3.0.0
User Identification and Authentication 11111.01q2System.4 - 01.q When PKI-based authentication is used, the information system validates certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; enforces access to the corresponding private key; maps the identity to the corresponding account of the individual or group; and implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
User Identification and Authentication 11112.01q2Organizational.67 - 01.q The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts; and, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline. A maximum of 3 owners should be designated for your subscription 3.0.0
User Identification and Authentication 11208.01q1Organizational.8 - 01.q The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else. There should be more than one owner assigned to your subscription 3.0.0
Monitoring System Use 1120.09ab3System.9 - 09.ab Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered. Azure Monitor should collect activity logs from all regions 2.0.0
Monitoring System Use 1212.09ab1System.1 - 09.ab All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met. Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
Monitoring System Use 1213.09ab2System.128 - 09.ab Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Monitoring System Use 1214.09ab2System.3456 - 09.ab Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures. Azure Monitor should collect activity logs from all regions 2.0.0
Monitoring System Use 1219.09ab3System.10 - 09.ab The information system is able to automatically process audit records for events of interest based on selectable criteria. Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 1.0.0
Monitoring System Use 1220.09ab3System.56 - 09.ab Monitoring includes inbound and outbound communications and file integrity monitoring. Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Administrator and Operator Logs 1270.09ad1System.12 - 09.ad The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. An activity log alert should exist for specific Administrative operations 1.0.0
Administrator and Operator Logs 1271.09ad1System.1 - 09.ad An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. An activity log alert should exist for specific Administrative operations 1.0.0
Business Continuity and Risk Assessment 1634.12b1Organizational.1 - 12.b The organization identifies the critical business processes requiring business continuity. Audit virtual machines without disaster recovery configured 1.0.0
Business Continuity and Risk Assessment 1638.12b2Organizational.345 - 12.b Business continuity risk assessments (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. Audit virtual machines without disaster recovery configured 1.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.2 Account Management (AC-2) Deprecated accounts should be removed from your subscription 3.0.0
Access Control 9.3.1.2 Account Management (AC-2) Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control 9.3.1.2 Account Management (AC-2) External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control 9.3.1.2 Account Management (AC-2) External accounts with read permissions should be removed from your subscription 3.0.0
Access Control 9.3.1.2 Account Management (AC-2) External accounts with write permissions should be removed from your subscription 3.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) There should be more than one owner assigned to your subscription 3.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) There should be more than one owner assigned to your subscription 3.0.0
Contingency Planning 9.3.6.6 Alternate Processing Site (CP-7) Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication 9.3.7.2 Identification and Authentication (Organizational Users) (IA-2) MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication 9.3.7.2 Identification and Authentication (Organizational Users) (IA-2) MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication 9.3.7.2 Identification and Authentication (Organizational Users) (IA-2) MFA should be enabled on accounts with read permissions on your subscription 3.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Organization of information security 6.1.2 Segregation of Duties A maximum of 3 owners should be designated for your subscription 3.0.0
Organization of information security 6.1.2 Segregation of Duties There should be more than one owner assigned to your subscription 3.0.0
Access control 9.2.3 Management of privileged access rights External accounts with owner permissions should be removed from your subscription 3.0.0
Access control 9.2.3 Management of privileged access rights External accounts with write permissions should be removed from your subscription 3.0.0
Access control 9.2.3 Management of privileged access rights MFA should be enabled accounts with write permissions on your subscription 3.0.0
Access control 9.2.3 Management of privileged access rights MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access control 9.2.4 Management of secret authentication information of users MFA should be enabled accounts with write permissions on your subscription 3.0.0
Access control 9.2.4 Management of secret authentication information of users MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access control 9.2.4 Management of secret authentication information of users MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Access control 9.2.5 Review of user access rights Deprecated accounts should be removed from your subscription 3.0.0
Access control 9.2.5 Review of user access rights Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access control 9.2.5 Review of user access rights External accounts with owner permissions should be removed from your subscription 3.0.0
Access control 9.2.5 Review of user access rights External accounts with write permissions should be removed from your subscription 3.0.0
Access control 9.2.6 Removal or adjustment of access rights Deprecated accounts should be removed from your subscription 3.0.0
Access control 9.2.6 Removal or adjustment of access rights Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access control 9.4.2 Secure log-on procedures MFA should be enabled accounts with write permissions on your subscription 3.0.0
Access control 9.4.2 Secure log-on procedures MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access control 9.4.2 Secure log-on procedures MFA should be enabled on accounts with read permissions on your subscription 3.0.0

New Zealand ISM Restricted

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance standard, see New Zealand ISM Restricted.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Information security monitoring ISM-7 6.4.5 Availability requirements Audit virtual machines without disaster recovery configured 1.0.0
Software security SS-3 14.1.9 Maintaining hardened SOEs Azure Defender for App Service should be enabled 1.0.3
Software security SS-3 14.1.9 Maintaining hardened SOEs Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Software security SS-3 14.1.9 Maintaining hardened SOEs Azure Defender for container registries should be enabled 1.0.3
Software security SS-3 14.1.9 Maintaining hardened SOEs Azure Defender for Key Vault should be enabled 1.0.3
Software security SS-3 14.1.9 Maintaining hardened SOEs Azure Defender for Kubernetes should be enabled 1.0.3
Software security SS-3 14.1.9 Maintaining hardened SOEs Azure Defender for servers should be enabled 1.0.3
Software security SS-3 14.1.9 Maintaining hardened SOEs Azure Defender for SQL servers on machines should be enabled 1.0.2
Software security SS-3 14.1.9 Maintaining hardened SOEs Azure Defender for Storage should be enabled 1.0.3
Access Control and Passwords AC-3 16.1.35 Methods for system user identification and authentication MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Access Control and Passwords AC-5 16.1.46 Suspension of access Deprecated accounts should be removed from your subscription 3.0.0
Access Control and Passwords AC-5 16.1.46 Suspension of access Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control and Passwords AC-9 16.3.5 Use of Privileged Accounts A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management External accounts with write permissions should be removed from your subscription 3.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management MFA should be enabled accounts with write permissions on your subscription 3.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management There should be more than one owner assigned to your subscription 3.0.0

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Deprecated accounts should be removed from your subscription 3.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). External accounts with read permissions should be removed from your subscription 3.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). External accounts with write permissions should be removed from your subscription 3.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. There should be more than one owner assigned to your subscription 3.0.0
Identification and Authentication 3.5.1 Identify system users, processes acting on behalf of users, and devices. MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication 3.5.1 Identify system users, processes acting on behalf of users, and devices. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA should be enabled on accounts with read permissions on your subscription 3.0.0
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Email notification to subscription owner for high severity alerts should be enabled 2.0.0
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Subscriptions should have a contact email address for security issues 1.0.1

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-1 Access Control Policy and Procedures Microsoft Managed Control 1000 - Access Control Policy And Procedures 1.0.0
Access Control AC-1 Access Control Policy and Procedures Microsoft Managed Control 1001 - Access Control Policy And Procedures 1.0.0
Access Control AC-2 Account Management A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1002 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1003 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1004 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1005 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1006 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1007 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1008 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1009 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1010 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1011 - Account Management 1.0.0
Access Control AC-2 Account Management Microsoft Managed Control 1012 - Account Management 1.0.0
Access Control AC-2 (1) Automated System Account Management Microsoft Managed Control 1013 - Account Management | Automated System Account Management 1.0.0
Access Control AC-2 (2) Removal of Temporary / Emergency Accounts Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts 1.0.0
Access Control AC-2 (3) Disable Inactive Accounts Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts 1.0.0
Access Control AC-2 (4) Automated Audit Actions Microsoft Managed Control 1016 - Account Management | Automated Audit Actions 1.0.0
Access Control AC-2 (5) Inactivity Logout Microsoft Managed Control 1017 - Account Management | Inactivity Logout 1.0.0
Access Control AC-2 (7) Role-based Schemes Microsoft Managed Control 1018 - Account Management | Role-Based Schemes 1.0.0
Access Control AC-2 (7) Role-based Schemes Microsoft Managed Control 1019 - Account Management | Role-Based Schemes 1.0.0
Access Control AC-2 (7) Role-based Schemes Microsoft Managed Control 1020 - Account Management | Role-Based Schemes 1.0.0
Access Control AC-2 (7) Role-based Schemes Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Access Control AC-2 (9) Restrictions On Use of Shared / Group Accounts Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts 1.0.0
Access Control AC-2 (10) Shared / Group Account Credential Termination Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination 1.0.0
Access Control AC-2 (11) Usage Conditions Microsoft Managed Control 1023 - Account Management | Usage Conditions 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for App Service should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for container registries should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for DNS should be enabled 1.0.0-preview
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Key Vault should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Kubernetes should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Resource Manager should be enabled 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for servers should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL servers on machines should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for Storage should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring / Atypical Usage Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage 1.0.0
Access Control AC-2 (13) Disable Accounts for High-risk Individuals Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals 1.0.0
Access Control AC-3 Access Enforcement MFA should be enabled accounts with write permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement Microsoft Managed Control 1027 - Access Enforcement 1.0.0
Access Control AC-4 Information Flow Enforcement Microsoft Managed Control 1028 - Information Flow Enforcement 1.0.0
Access Control AC-4 (8) Security Policy Filters Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters 1.0.0
Access Control AC-4 (21) Physical / Logical Separation of Information Flows Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows 1.0.0
Access Control AC-5 Separation of Duties Microsoft Managed Control 1031 - Separation Of Duties 1.0.0
Access Control AC-5 Separation of Duties Microsoft Managed Control 1032 - Separation Of Duties 1.0.0
Access Control AC-5 Separation of Duties Microsoft Managed Control 1033 - Separation Of Duties 1.0.0
Access Control AC-5 Separation of Duties There should be more than one owner assigned to your subscription 3.0.0
Access Control AC-6 Least Privilege A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-6 Least Privilege Microsoft Managed Control 1034 - Least Privilege 1.0.0
Access Control AC-6 (1) Authorize Access to Security Functions Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions 1.0.0
Access Control AC-6 (2) Non-privileged Access for Nonsecurity Functions Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions 1.0.0
Access Control AC-6 (3) Network Access to Privileged Commands Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands 1.0.0
Access Control AC-6 (5) Privileged Accounts Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts 1.0.0
Access Control AC-6 (7) Review of User Privileges A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-6 (7) Review of User Privileges Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges 1.0.0
Access Control AC-6 (7) Review of User Privileges Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges 1.0.0
Access Control AC-6 (8) Privilege Levels for Code Execution Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution 1.0.0
Access Control AC-6 (9) Auditing Use of Privileged Functions Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions 1.0.0
Access Control AC-6 (10) Prohibit Non-privileged Users from Executing Privileged Functions Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions 1.0.0
Access Control AC-7 Unsuccessful Logon Attempts Microsoft Managed Control 1044 - Unsuccessful Logon Attempts 1.0.0
Access Control AC-7 Unsuccessful Logon Attempts Microsoft Managed Control 1045 - Unsuccessful Logon Attempts 1.0.0
Access Control AC-7 (2) Purge / Wipe Mobile Device Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device 1.0.0
Access Control AC-8 System Use Notification Microsoft Managed Control 1047 - System Use Notification 1.0.0
Access Control AC-8 System Use Notification Microsoft Managed Control 1048 - System Use Notification 1.0.0
Access Control AC-8 System Use Notification Microsoft Managed Control 1049 - System Use Notification 1.0.0
Access Control AC-10 Concurrent Session Control Microsoft Managed Control 1050 - Concurrent Session Control 1.0.0
Access Control AC-11 Session Lock Microsoft Managed Control 1051 - Session Lock 1.0.0
Access Control AC-11 Session Lock Microsoft Managed Control 1052 - Session Lock 1.0.0
Access Control AC-11 (1) Pattern-hiding Displays Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays 1.0.0
Access Control AC-12 Session Termination Microsoft Managed Control 1054 - Session Termination 1.0.0
Access Control AC-12 (1) User-initiated Logouts / Message Displays Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays 1.0.0
Access Control AC-12 (1) User-initiated Logouts / Message Displays Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays 1.0.0
Access Control AC-14 Permitted Actions Without Identification or Authentication Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication 1.0.0
Access Control AC-14 Permitted Actions Without Identification or Authentication Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication 1.0.0
Access Control AC-17 Remote Access Microsoft Managed Control 1059 - Remote Access 1.0.0
Access Control AC-17 Remote Access Microsoft Managed Control 1060 - Remote Access 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control 1.0.0
Access Control AC-17 (2) Protection of Confidentiality / Integrity Using Encryption Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption 1.0.0
Access Control AC-17 (3) Managed Access Control Points Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points 1.0.0
Access Control AC-17 (4) Privileged Commands / Access Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access 1.0.0
Access Control AC-17 (4) Privileged Commands / Access Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access 1.0.0
Access Control AC-17 (9) Disconnect / Disable Access Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access 1.0.0
Access Control AC-18 Wireless Access Microsoft Managed Control 1067 - Wireless Access 1.0.0
Access Control AC-18 Wireless Access Microsoft Managed Control 1068 - Wireless Access 1.0.0
Access Control AC-18 (1) Authentication and Encryption Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption 1.0.0
Access Control AC-18 (3) Disable Wireless Networking Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking 1.0.0
Access Control AC-18 (4) Restrict Configurations by Users Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users 1.0.0
Access Control AC-18 (5) Antennas / Transmission Power Levels Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels 1.0.0
Access Control AC-19 Access Control for Mobile Devices Microsoft Managed Control 1073 - Access Control For Mobile Devices 1.0.0
Access Control AC-19 Access Control for Mobile Devices Microsoft Managed Control 1074 - Access Control For Mobile Devices 1.0.0
Access Control AC-19 (5) Full Device / Container-based Encryption Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption 1.0.0
Access Control AC-20 Use of External Information Systems Microsoft Managed Control 1076 - Use Of External Information Systems 1.0.0
Access Control AC-20 Use of External Information Systems Microsoft Managed Control 1077 - Use Of External Information Systems 1.0.0
Access Control AC-20 (1) Limits On Authorized Use Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use 1.0.0
Access Control AC-20 (1) Limits On Authorized Use Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use 1.0.0
Access Control AC-20 (2) Portable Storage Devices Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices 1.0.0
Access Control AC-21 Information Sharing Microsoft Managed Control 1081 - Information Sharing 1.0.0
Access Control AC-21 Information Sharing Microsoft Managed Control 1082 - Information Sharing 1.0.0
Access Control AC-22 Publicly Accessible Content Microsoft Managed Control 1083 - Publicly Accessible Content 1.0.0
Access Control AC-22 Publicly Accessible Content Microsoft Managed Control 1084 - Publicly Accessible Content 1.0.0
Access Control AC-22 Publicly Accessible Content Microsoft Managed Control 1085 - Publicly Accessible Content 1.0.0
Access Control AC-22 Publicly Accessible Content Microsoft Managed Control 1086 - Publicly Accessible Content 1.0.0
Awareness and Training AT-1 Security Awareness and Training Policy and Procedures Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures 1.0.0
Awareness and Training AT-1 Security Awareness and Training Policy and Procedures Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures 1.0.0
Awareness and Training AT-2 Security Awareness Training Microsoft Managed Control 1089 - Security Awareness Training 1.0.0
Awareness and Training AT-2 Security Awareness Training Microsoft Managed Control 1090 - Security Awareness Training 1.0.0
Awareness and Training AT-2 Security Awareness Training Microsoft Managed Control 1091 - Security Awareness Training 1.0.0
Awareness and Training AT-2 (2) Insider Threat Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat 1.0.0
Awareness and Training AT-3 Role-based Security Training Microsoft Managed Control 1093 - Role-Based Security Training 1.0.0
Awareness and Training AT-3 Role-based Security Training Microsoft Managed Control 1094 - Role-Based Security Training 1.0.0
Awareness and Training AT-3 Role-based Security Training Microsoft Managed Control 1095 - Role-Based Security Training 1.0.0
Awareness and Training AT-3 (3) Practical Exercises Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises 1.0.0
Awareness and Training AT-3 (4) Suspicious Communications and Anomalous System Behavior Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior 1.0.0
Awareness and Training AT-4 Security Training Records Microsoft Managed Control 1098 - Security Training Records 1.0.0
Awareness and Training AT-4 Security Training Records Microsoft Managed Control 1099 - Security Training Records 1.0.0
Audit and Accountability AU-1 Audit and Accountability Policy and Procedures Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures 1.0.0
Audit and Accountability AU-1 Audit and Accountability Policy and Procedures Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures 1.0.0
Audit and Accountability AU-2 Audit Events Microsoft Managed Control 1102 - Audit Events 1.0.0
Audit and Accountability AU-2 Audit Events Microsoft Managed Control 1103 - Audit Events 1.0.0
Audit and Accountability AU-2 Audit Events Microsoft Managed Control 1104 - Audit Events 1.0.0
Audit and Accountability AU-2 Audit Events Microsoft Managed Control 1105 - Audit Events 1.0.0
Audit and Accountability AU-2 (3) Reviews and Updates Microsoft Managed Control 1106 - Audit Events | Reviews And Updates 1.0.0
Audit and Accountability AU-3 Content of Audit Records Microsoft Managed Control 1107 - Content Of Audit Records 1.0.0
Audit and Accountability AU-3 (1) Additional Audit Information Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information 1.0.0
Audit and Accountability AU-3 (2) Centralized Management of Planned Audit Record Content Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content 1.0.0
Audit and Accountability AU-4 Audit Storage Capacity Microsoft Managed Control 1110 - Audit Storage Capacity 1.0.0
Audit and Accountability AU-5 Response to Audit Processing Failures Microsoft Managed Control 1111 - Response To Audit Processing Failures 1.0.0
Audit and Accountability AU-5 Response to Audit Processing Failures Microsoft Managed Control 1112 - Response To Audit Processing Failures 1.0.0
Audit and Accountability AU-5 (1) Audit Storage Capacity Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity 1.0.0
Audit and Accountability AU-5 (2) Real-time Alerts Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts 1.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting 1.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting 1.0.0
Audit and Accountability AU-6 (1) Process Integration Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration 1.0.0
Audit and Accountability AU-6 (3) Correlate Audit Repositories Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis 1.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities 1.0.0
Audit and Accountability AU-6 (6) Correlation with Physical Monitoring Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring 1.0.0
Audit and Accountability AU-6 (7) Permitted Actions Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions 1.0.0
Audit and Accountability AU-6 (10) Audit Level Adjustment Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment 1.0.0
Audit and Accountability AU-7 Audit Reduction and Report Generation Microsoft Managed Control 1124 - Audit Reduction And Report Generation 1.0.0
Audit and Accountability AU-7 Audit Reduction and Report Generation Microsoft Managed Control 1125 - Audit Reduction And Report Generation 1.0.0
Audit and Accountability AU-7 (1) Automatic Processing Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing 1.0.0
Audit and Accountability AU-8 Time Stamps Microsoft Managed Control 1127 - Time Stamps 1.0.0
Audit and Accountability AU-8 Time Stamps Microsoft Managed Control 1128 - Time Stamps 1.0.0
Audit and Accountability AU-8 (1) Synchronization with Authoritative Time Source Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source 1.0.0
Audit and Accountability AU-8 (1) Synchronization with Authoritative Time Source Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source 1.0.0
Audit and Accountability AU-9 Protection of Audit Information Microsoft Managed Control 1131 - Protection Of Audit Information 1.0.0
Audit and Accountability AU-9 (2) Audit Backup On Separate Physical Systems / Components Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components 1.0.0
Audit and Accountability AU-9 (3) Cryptographic Protection Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection 1.0.0
Audit and Accountability AU-9 (4) Access by Subset of Privileged Users Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users 1.0.0
Audit and Accountability AU-10 Non-repudiation Microsoft Managed Control 1135 - Non-Repudiation 1.0.0
Audit and Accountability AU-11 Audit Record Retention Microsoft Managed Control 1136 - Audit Record Retention 1.0.0
Audit and Accountability AU-12 Audit Generation Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-12 Audit Generation Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-12 Audit Generation Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-12 Audit Generation Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-12 Audit Generation Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-12 Audit Generation Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-12 Audit Generation Microsoft Managed Control 1137 - Audit Generation 1.0.0
Audit and Accountability AU-12 Audit Generation Microsoft Managed Control 1138 - Audit Generation 1.0.0
Audit and Accountability AU-12 Audit Generation Microsoft Managed Control 1139 - Audit Generation 1.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail 1.0.0
Audit and Accountability AU-12 (3) Changes by Authorized Individuals Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals 1.0.0
Security Assessment and Authorization CA-1 Security Assessment and Authorization Policy and Procedures Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures 1.0.0
Security Assessment and Authorization CA-1 Security Assessment and Authorization Policy and Procedures Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures 1.0.0
Security Assessment and Authorization CA-2 Security Assessments Microsoft Managed Control 1144 - Security Assessments 1.0.0
Security Assessment and Authorization CA-2 Security Assessments Microsoft Managed Control 1145 - Security Assessments 1.0.0
Security Assessment and Authorization CA-2 Security Assessments Microsoft Managed Control 1146 - Security Assessments 1.0.0
Security Assessment and Authorization CA-2 Security Assessments Microsoft Managed Control 1147 - Security Assessments 1.0.0
Security Assessment and Authorization CA-2 (1) Independent Assessors Microsoft Managed Control 1148 - Security Assessments | Independent Assessors 1.0.0
Security Assessment and Authorization CA-2 (2) Specialized Assessments Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments 1.0.0
Security Assessment and Authorization CA-2 (3) External Organizations Microsoft Managed Control 1150 - Security Assessments | External Organizations 1.0.0
Security Assessment and Authorization CA-3 System Interconnections Microsoft Managed Control 1151 - System Interconnections 1.0.0
Security Assessment and Authorization CA-3 System Interconnections Microsoft Managed Control 1152 - System Interconnections 1.0.0
Security Assessment and Authorization CA-3 System Interconnections Microsoft Managed Control 1153 - System Interconnections 1.0.0
Security Assessment and Authorization CA-3 (3) Unclassified Non-national Security System Connections Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections 1.0.0
Security Assessment and Authorization CA-3 (5) Restrictions On External System Connections Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections 1.0.0
Security Assessment and Authorization CA-5 Plan of Action and Milestones Microsoft Managed Control 1156 - Plan Of Action And Milestones 1.0.0
Security Assessment and Authorization CA-5 Plan of Action and Milestones Microsoft Managed Control 1157 - Plan Of Action And Milestones 1.0.0
Security Assessment and Authorization CA-6 Security Authorization Microsoft Managed Control 1158 - Security Authorization 1.0.0
Security Assessment and Authorization CA-6 Security Authorization Microsoft Managed Control 1159 - Security Authorization 1.0.0
Security Assessment and Authorization CA-6 Security Authorization Microsoft Managed Control 1160 - Security Authorization 1.0.0
Security Assessment and Authorization CA-7 Continuous Monitoring Microsoft Managed Control 1161 - Continuous Monitoring 1.0.0
Security Assessment and Authorization CA-7 Continuous Monitoring Microsoft Managed Control 1162 - Continuous Monitoring 1.0.0
Security Assessment and Authorization CA-7 Continuous Monitoring Microsoft Managed Control 1163 - Continuous Monitoring 1.0.0
Security Assessment and Authorization CA-7 Continuous Monitoring Microsoft Managed Control 1164 - Continuous Monitoring 1.0.0
Security Assessment and Authorization CA-7 Continuous Monitoring Microsoft Managed Control 1165 - Continuous Monitoring 1.0.0
Security Assessment and Authorization CA-7 Continuous Monitoring Microsoft Managed Control 1166 - Continuous Monitoring 1.0.0
Security Assessment and Authorization CA-7 Continuous Monitoring Microsoft Managed Control 1167 - Continuous Monitoring 1.0.0
Security Assessment and Authorization CA-7 (1) Independent Assessment Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment 1.0.0
Security Assessment and Authorization CA-7 (3) Trend Analyses Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses 1.0.0
Security Assessment and Authorization CA-8 Penetration Testing Microsoft Managed Control 1170 - Penetration Testing 1.0.0
Security Assessment and Authorization CA-8 (1) Independent Penetration Agent or Team Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team 1.0.0
Security Assessment and Authorization CA-9 Internal System Connections Microsoft Managed Control 1172 - Internal System Connections 1.0.0
Security Assessment and Authorization CA-9 Internal System Connections Microsoft Managed Control 1173 - Internal System Connections 1.0.0
Configuration Management CM-1 Configuration Management Policy and Procedures Microsoft Managed Control 1174 - Configuration Management Policy And Procedures 1.0.0
Configuration Management CM-1 Configuration Management Policy and Procedures Microsoft Managed Control 1175 - Configuration Management Policy And Procedures 1.0.0
Configuration Management CM-2 Baseline Configuration Microsoft Managed Control 1176 - Baseline Configuration 1.0.0
Configuration Management CM-2 (1) Reviews and Updates Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates 1.0.0
Configuration Management CM-2 (1) Reviews and Updates Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates 1.0.0
Configuration Management CM-2 (1) Reviews and Updates Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates 1.0.0
Configuration Management CM-2 (2) Automation Support for Accuracy / Currency Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency 1.0.0
Configuration Management CM-2 (3) Retention of Previous Configurations Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations 1.0.0
Configuration Management CM-2 (7) Configure Systems, Components, or Devices for High-risk Areas Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas 1.0.0
Configuration Management CM-2 (7) Configure Systems, Components, or Devices for High-risk Areas Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas 1.0.0
Configuration Management CM-3 Configuration Change Control Microsoft Managed Control 1184 - Configuration Change Control 1.0.0
Configuration Management CM-3 Configuration Change Control Microsoft Managed Control 1185 - Configuration Change Control 1.0.0
Configuration Management CM-3 Configuration Change Control Microsoft Managed Control 1186 - Configuration Change Control 1.0.0
Configuration Management CM-3 Configuration Change Control Microsoft Managed Control 1187 - Configuration Change Control 1.0.0
Configuration Management CM-3 Configuration Change Control Microsoft Managed Control 1188 - Configuration Change Control 1.0.0
Configuration Management CM-3 Configuration Change Control Microsoft Managed Control 1189 - Configuration Change Control 1.0.0
Configuration Management CM-3 Configuration Change Control Microsoft Managed Control 1190 - Configuration Change Control 1.0.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition of Changes Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes 1.0.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition of Changes Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes 1.0.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition of Changes Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes 1.0.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition of Changes Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes 1.0.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition of Changes Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes 1.0.0
Configuration Management CM-3 (1) Automated Document / Notification / Prohibition of Changes Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes 1.0.0
Configuration Management CM-3 (2) Test / Validate / Document Changes Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes 1.0.0
Configuration Management CM-3 (4) Security Representative Microsoft Managed Control 1198 - Configuration Change Control | Security Representative 1.0.0
Configuration Management CM-3 (6) Cryptography Management Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management 1.0.0
Configuration Management CM-4 Security Impact Analysis Microsoft Managed Control 1200 - Security Impact Analysis 1.0.0
Configuration Management CM-4 (1) Separate Test Environments Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments 1.0.0
Configuration Management CM-5 Access Restrictions for Change Microsoft Managed Control 1202 - Access Restrictions For Change 1.0.0
Configuration Management CM-5 (1) Automated Access Enforcement / Auditing Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing 1.0.0
Configuration Management CM-5 (2) Review System Changes Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes 1.0.0
Configuration Management CM-5 (3) Signed Components Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components 1.0.0
Configuration Management CM-5 (5) Limit Production / Operational Privileges Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges 1.0.0
Configuration Management CM-5 (5) Limit Production / Operational Privileges Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges 1.0.0
Configuration Management CM-6 Configuration Settings Microsoft Managed Control 1208 - Configuration Settings 1.0.0
Configuration Management CM-6 Configuration Settings Microsoft Managed Control 1209 - Configuration Settings 1.0.0
Configuration Management CM-6 Configuration Settings Microsoft Managed Control 1210 - Configuration Settings 1.0.0
Configuration Management CM-6 Configuration Settings Microsoft Managed Control 1211 - Configuration Settings 1.0.0
Configuration Management CM-6 (1) Automated Central Management / Application / Verification Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification 1.0.0
Configuration Management CM-6 (2) Respond to Unauthorized Changes Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes 1.0.0
Configuration Management CM-7 Least Functionality Azure Defender for servers should be enabled 1.0.3
Configuration Management CM-7 Least Functionality Microsoft Managed Control 1214 - Least Functionality 1.0.0
Configuration Management CM-7 Least Functionality Microsoft Managed Control 1215 - Least Functionality 1.0.0
Configuration Management CM-7 (1) Periodic Review Microsoft Managed Control 1216 - Least Functionality | Periodic Review 1.0.0
Configuration Management CM-7 (1) Periodic Review Microsoft Managed Control 1217 - Least Functionality | Periodic Review 1.0.0
Configuration Management CM-7 (2) Prevent Program Execution Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution 1.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting 1.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting 1.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting 1.0.0
Configuration Management CM-8 Information System Component Inventory Microsoft Managed Control 1222 - Information System Component Inventory 1.0.0
Configuration Management CM-8 Information System Component Inventory Microsoft Managed Control 1223 - Information System Component Inventory 1.0.0
Configuration Management CM-8 (1) Updates During Installations / Removals Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals 1.0.0
Configuration Management CM-8 (2) Automated Maintenance Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance 1.0.0
Configuration Management CM-8 (3) Automated Unauthorized Component Detection Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection 1.0.0
Configuration Management CM-8 (3) Automated Unauthorized Component Detection Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection 1.0.0
Configuration Management CM-8 (4) Accountability Information Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information 1.0.0
Configuration Management CM-8 (5) No Duplicate Accounting of Components Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components 1.0.0
Configuration Management CM-9 Configuration Management Plan Microsoft Managed Control 1230 - Configuration Management Plan 1.0.0
Configuration Management CM-9 Configuration Management Plan Microsoft Managed Control 1231 - Configuration Management Plan 1.0.0
Configuration Management CM-9 Configuration Management Plan Microsoft Managed Control 1232 - Configuration Management Plan 1.0.0
Configuration Management CM-9 Configuration Management Plan Microsoft Managed Control 1233 - Configuration Management Plan 1.0.0
Configuration Management CM-10 Software Usage Restrictions Microsoft Managed Control 1234 - Software Usage Restrictions 1.0.0
Configuration Management CM-10 Software Usage Restrictions Microsoft Managed Control 1235 - Software Usage Restrictions 1.0.0
Configuration Management CM-10 Software Usage Restrictions Microsoft Managed Control 1236 - Software Usage Restrictions 1.0.0
Configuration Management CM-10 (1) Open Source Software Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software 1.0.0
Configuration Management CM-11 User-installed Software Microsoft Managed Control 1238 - User-Installed Software 1.0.0
Configuration Management CM-11 User-installed Software Microsoft Managed Control 1239 - User-Installed Software 1.0.0
Configuration Management CM-11 User-installed Software Microsoft Managed Control 1240 - User-Installed Software 1.0.0
Configuration Management CM-11 (1) Alerts for Unauthorized Installations Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations 1.0.0
Contingency Planning CP-1 Contingency Planning Policy and Procedures Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures 1.0.0
Contingency Planning CP-1 Contingency Planning Policy and Procedures Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures 1.0.0
Contingency Planning CP-2 Contingency Plan Microsoft Managed Control 1244 - Contingency Plan 1.0.0
Contingency Planning CP-2 Contingency Plan Microsoft Managed Control 1245 - Contingency Plan 1.0.0
Contingency Planning CP-2 Contingency Plan Microsoft Managed Control 1246 - Contingency Plan 1.0.0
Contingency Planning CP-2 Contingency Plan Microsoft Managed Control 1247 - Contingency Plan 1.0.0
Contingency Planning CP-2 Contingency Plan Microsoft Managed Control 1248 - Contingency Plan 1.0.0
Contingency Planning CP-2 Contingency Plan Microsoft Managed Control 1249 - Contingency Plan 1.0.0
Contingency Planning CP-2 Contingency Plan Microsoft Managed Control 1250 - Contingency Plan 1.0.0
Contingency Planning CP-2 (1) Coordinate with Related Plans Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans 1.0.0
Contingency Planning CP-2 (2) Capacity Planning Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning 1.0.0
Contingency Planning CP-2 (3) Resume Essential Missions / Business Functions Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions 1.0.0
Contingency Planning CP-2 (4) Resume All Missions / Business Functions Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions 1.0.0
Contingency Planning CP-2 (5) Continue Essential Missions / Business Functions Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions 1.0.0
Contingency Planning CP-2 (8) Identify Critical Assets Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets 1.0.0
Contingency Planning CP-3 Contingency Training Microsoft Managed Control 1257 - Contingency Training 1.0.0
Contingency Planning CP-3 Contingency Training Microsoft Managed Control 1258 - Contingency Training 1.0.0
Contingency Planning CP-3 Contingency Training Microsoft Managed Control 1259 - Contingency Training 1.0.0
Contingency Planning CP-3 (1) Simulated Events Microsoft Managed Control 1260 - Contingency Training | Simulated Events 1.0.0
Contingency Planning CP-4 Contingency Plan Testing Microsoft Managed Control 1261 - Contingency Plan Testing 1.0.0
Contingency Planning CP-4 Contingency Plan Testing Microsoft Managed Control 1262 - Contingency Plan Testing 1.0.0
Contingency Planning CP-4 Contingency Plan Testing Microsoft Managed Control 1263 - Contingency Plan Testing 1.0.0
Contingency Planning CP-4 (1) Coordinate with Related Plans Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans 1.0.0
Contingency Planning CP-4 (2) Alternate Processing Site Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site 1.0.0
Contingency Planning CP-4 (2) Alternate Processing Site Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site 1.0.0
Contingency Planning CP-6 Alternate Storage Site Microsoft Managed Control 1267 - Alternate Storage Site 1.0.0
Contingency Planning CP-6 Alternate Storage Site Microsoft Managed Control 1268 - Alternate Storage Site 1.0.0
Contingency Planning CP-6 (1) Separation from Primary Site Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site 1.0.0
Contingency Planning CP-6 (2) Recovery Time / Point Objectives Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives 1.0.0
Contingency Planning CP-6 (3) Accessibility Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility 1.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-7 Alternate Processing Site Microsoft Managed Control 1272 - Alternate Processing Site 1.0.0
Contingency Planning CP-7 Alternate Processing Site Microsoft Managed Control 1273 - Alternate Processing Site 1.0.0
Contingency Planning CP-7 Alternate Processing Site Microsoft Managed Control 1274 - Alternate Processing Site 1.0.0
Contingency Planning CP-7 (1) Separation from Primary Site Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site 1.0.0
Contingency Planning CP-7 (2) Accessibility Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility 1.0.0
Contingency Planning CP-7 (3) Priority of Service Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service 1.0.0
Contingency Planning CP-7 (4) Preparation for Use Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use 1.0.0
Contingency Planning CP-8 Telecommunications Services Microsoft Managed Control 1279 - Telecommunications Services 1.0.0
Contingency Planning CP-8 (1) Priority of Service Provisions Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions 1.0.0
Contingency Planning CP-8 (1) Priority of Service Provisions Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions 1.0.0
Contingency Planning CP-8 (2) Single Points of Failure Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure 1.0.0
Contingency Planning CP-8 (3) Separation of Primary / Alternate Providers Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers 1.0.0
Contingency Planning CP-8 (4) Provider Contingency Plan Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan 1.0.0
Contingency Planning CP-8 (4) Provider Contingency Plan Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan 1.0.0
Contingency Planning CP-8 (4) Provider Contingency Plan Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan 1.0.0
Contingency Planning CP-9 Information System Backup Microsoft Managed Control 1287 - Information System Backup 1.0.0
Contingency Planning CP-9 Information System Backup Microsoft Managed Control 1288 - Information System Backup 1.0.0
Contingency Planning CP-9 Information System Backup Microsoft Managed Control 1289 - Information System Backup 1.0.0
Contingency Planning CP-9 Information System Backup Microsoft Managed Control 1290 - Information System Backup 1.0.0
Contingency Planning CP-9 (1) Testing for Reliability / Integrity Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity 1.0.0
Contingency Planning CP-9 (2) Test Restoration Using Sampling Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling 1.0.0
Contingency Planning CP-9 (3) Separate Storage for Critical Information Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information 1.0.0
Contingency Planning CP-9 (5) Transfer to Alternate Storage Site Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site 1.0.0
Contingency Planning CP-10 Information System Recovery and Reconstitution Microsoft Managed Control 1295 - Information System Recovery And Reconstitution 1.0.0
Contingency Planning CP-10 (2) Transaction Recovery Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery 1.0.0
Contingency Planning CP-10 (4) Restore Within Time Period Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period 1.0.0
Identification and Authentication IA-1 Identification and Authentication Policy and Procedures Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures 1.0.0
Identification and Authentication IA-1 Identification and Authentication Policy and Procedures Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures 1.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users) 1.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Identification and Authentication IA-2 (1) Network Access to Privileged Accounts MFA should be enabled accounts with write permissions on your subscription 3.0.0
Identification and Authentication IA-2 (1) Network Access to Privileged Accounts MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Identification and Authentication IA-2 (1) Network Access to Privileged Accounts Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts 1.0.0
Identification and Authentication IA-2 (2) Network Access to Non-privileged Accounts MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Identification and Authentication IA-2 (2) Network Access to Non-privileged Accounts Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts 1.0.0
Identification and Authentication IA-2 (3) Local Access to Privileged Accounts Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts 1.0.0
Identification and Authentication IA-2 (4) Local Access to Non-privileged Accounts Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts 1.0.0
Identification and Authentication IA-2 (5) Group Authentication Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication 1.0.0
Identification and Authentication IA-2 (8) Network Access to Privileged Accounts - Replay Resistant Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay 1.0.0
Identification and Authentication IA-2 (9) Network Access to Non-privileged Accounts - Replay Resistant Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay 1.0.0
Identification and Authentication IA-2 (11) Remote Access - Separate Device Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device 1.0.0
Identification and Authentication IA-2 (12) Acceptance of PIV Credentials Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials 1.0.0
Identification and Authentication IA-3 Device Identification and Authentication Microsoft Managed Control 1310 - Device Identification And Authentication 1.0.0
Identification and Authentication IA-4 Identifier Management Microsoft Managed Control 1311 - Identifier Management 1.0.0
Identification and Authentication IA-4 Identifier Management Microsoft Managed Control 1312 - Identifier Management 1.0.0
Identification and Authentication IA-4 Identifier Management Microsoft Managed Control 1313 - Identifier Management 1.0.0
Identification and Authentication IA-4 Identifier Management Microsoft Managed Control 1314 - Identifier Management 1.0.0
Identification and Authentication IA-4 Identifier Management Microsoft Managed Control 1315 - Identifier Management 1.0.0
Identification and Authentication IA-4 Identifier Management Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Identification and Authentication IA-4 (4) Identify User Status Microsoft Managed Control 1316 - Identifier Management | Identify User Status 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1317 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1318 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1319 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1320 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1321 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1322 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1323 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1324 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1325 - Authenticator Management 1.0.0
Identification and Authentication IA-5 Authenticator Management Microsoft Managed Control 1326 - Authenticator Management 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication 1.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication 1.0.0
Identification and Authentication IA-5 (2) Pki-based Authentication Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication 1.0.0
Identification and Authentication IA-5 (2) Pki-based Authentication Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication 1.0.0
Identification and Authentication IA-5 (2) Pki-based Authentication Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication 1.0.0
Identification and Authentication IA-5 (2) Pki-based Authentication Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication 1.0.0
Identification and Authentication IA-5 (3) In-person or Trusted Third-party Registration Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration 1.0.0
Identification and Authentication IA-5 (4) Automated Support for Password Strength Determination Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination 1.0.0
Identification and Authentication IA-5 (6) Protection of Authenticators Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators 1.0.0
Identification and Authentication IA-5 (7) No Embedded Unencrypted Static Authenticators Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators 1.0.0
Identification and Authentication IA-5 (8) Multiple Information System Accounts Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts 1.0.0
Identification and Authentication IA-5 (11) Hardware Token-based Authentication Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication 1.0.0
Identification and Authentication IA-5 (13) Expiration of Cached Authenticators Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators 1.0.0
Identification and Authentication IA-6 Authenticator Feedback Microsoft Managed Control 1344 - Authenticator Feedback 1.0.0
Identification and Authentication IA-7 Cryptographic Module Authentication Microsoft Managed Control 1345 - Cryptographic Module Authentication 1.0.0
Identification and Authentication IA-8 Identification and Authentication (non-organizational Users) Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users) 1.0.0
Identification and Authentication IA-8 (1) Acceptance of PIV Credentials from Other Agencies Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys. 1.0.0
Identification and Authentication IA-8 (2) Acceptance of Third-party Credentials Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials 1.0.0
Identification and Authentication IA-8 (3) Use of Ficam-approved Products Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products 1.0.0
Identification and Authentication IA-8 (4) Use of Ficam-issued Profiles Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles 1.0.0
Incident Response IR-1 Incident Response Policy and Procedures Microsoft Managed Control 1351 - Incident Response Policy And Procedures 1.0.0
Incident Response IR-1 Incident Response Policy and Procedures Microsoft Managed Control 1352 - Incident Response Policy And Procedures 1.0.0
Incident Response IR-2 Incident Response Training Microsoft Managed Control 1353 - Incident Response Training 1.0.0
Incident Response IR-2 Incident Response Training Microsoft Managed Control 1354 - Incident Response Training 1.0.0
Incident Response IR-2 Incident Response Training Microsoft Managed Control 1355 - Incident Response Training 1.0.0
Incident Response IR-2 (1) Simulated Events Microsoft Managed Control 1356 - Incident Response Training | Simulated Events 1.0.0
Incident Response IR-2 (2) Automated Training Environments Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments 1.0.0
Incident Response IR-3 Incident Response Testing Microsoft Managed Control 1358 - Incident Response Testing 1.0.0
Incident Response IR-3 (2) Coordination with Related Plans Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-4 Incident Handling Azure Defender for container registries should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for DNS should be enabled 1.0.0-preview
Incident Response IR-4 Incident Handling Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for servers should be enabled 1.0.3
Incident Response IR-4 Incident Handling Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-4 Incident Handling Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-4 Incident Handling Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-4 Incident Handling Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-4 Incident Handling Microsoft Managed Control 1360 - Incident Handling 1.0.0
Incident Response IR-4 Incident Handling Microsoft Managed Control 1361 - Incident Handling 1.0.0
Incident Response IR-4 Incident Handling Microsoft Managed Control 1362 - Incident Handling 1.0.0
Incident Response IR-4 Incident Handling Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR-4 (1) Automated Incident Handling Processes Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes 1.0.0
Incident Response IR-4 (2) Dynamic Reconfiguration Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration 1.0.0
Incident Response IR-4 (3) Continuity of Operations Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations 1.0.0
Incident Response IR-4 (4) Information Correlation Microsoft Managed Control 1366 - Incident Handling | Information Correlation 1.0.0
Incident Response IR-4 (6) Insider Threats - Specific Capabilities Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities 1.0.0
Incident Response IR-4 (8) Correlation with External Organizations Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations 1.0.0
Incident Response IR-5 Incident Monitoring Azure Defender for App Service should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for container registries should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for DNS should be enabled 1.0.0-preview
Incident Response IR-5 Incident Monitoring Azure Defender for Key Vault should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Kubernetes should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for Resource Manager should be enabled 1.0.0
Incident Response IR-5 Incident Monitoring Azure Defender for servers should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Azure Defender for SQL servers on machines should be enabled 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for Storage should be enabled 1.0.3
Incident Response IR-5 Incident Monitoring Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-5 Incident Monitoring Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-5 Incident Monitoring Microsoft Managed Control 1369 - Incident Monitoring 1.0.0
Incident Response IR-5 Incident Monitoring Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR-5 (1) Automated Tracking / Data Collection / Analysis Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis 1.0.0
Incident Response IR-6 Incident Reporting Microsoft Managed Control 1371 - Incident Reporting 1.0.0
Incident Response IR-6 Incident Reporting Microsoft Managed Control 1372 - Incident Reporting 1.0.0
Incident Response IR-6 (1) Automated Reporting Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting 1.0.0
Incident Response IR-6 (2) Vulnerabilities Related to Incidents Email notification for high severity alerts should be enabled 1.0.1
Incident Response IR-6 (2) Vulnerabilities Related to Incidents Email notification to subscription owner for high severity alerts should be enabled 2.0.0
Incident Response IR-6 (2) Vulnerabilities Related to Incidents Subscriptions should have a contact email address for security issues 1.0.1
Incident Response IR-7 Incident Response Assistance Microsoft Managed Control 1374 - Incident Response Assistance 1.0.0
Incident Response IR-7 (1) Automation Support for Availability of Information / Support Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support 1.0.0
Incident Response IR-7 (2) Coordination with External Providers Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers 1.0.0
Incident Response IR-7 (2) Coordination with External Providers Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers 1.0.0
Incident Response IR-8 Incident Response Plan Microsoft Managed Control 1378 - Incident Response Plan 1.0.0
Incident Response IR-8 Incident Response Plan Microsoft Managed Control 1379 - Incident Response Plan 1.0.0
Incident Response IR-8 Incident Response Plan Microsoft Managed Control 1380 - Incident Response Plan 1.0.0
Incident Response IR-8 Incident Response Plan Microsoft Managed Control 1381 - Incident Response Plan 1.0.0
Incident Response IR-8 Incident Response Plan Microsoft Managed Control 1382 - Incident Response Plan 1.0.0
Incident Response IR-8 Incident Response Plan Microsoft Managed Control 1383 - Incident Response Plan 1.0.0
Incident Response IR-9 Information Spillage Response Microsoft Managed Control 1384 - Information Spillage Response 1.0.0
Incident Response IR-9 Information Spillage Response Microsoft Managed Control 1385 - Information Spillage Response 1.0.0
Incident Response IR-9 Information Spillage Response Microsoft Managed Control 1386 - Information Spillage Response 1.0.0
Incident Response IR-9 Information Spillage Response Microsoft Managed Control 1387 - Information Spillage Response 1.0.0
Incident Response IR-9 Information Spillage Response Microsoft Managed Control 1388 - Information Spillage Response 1.0.0
Incident Response IR-9 Information Spillage Response Microsoft Managed Control 1389 - Information Spillage Response 1.0.0
Incident Response IR-9 (1) Responsible Personnel Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel 1.0.0
Incident Response IR-9 (2) Training Microsoft Managed Control 1391 - Information Spillage Response | Training 1.0.0
Incident Response IR-9 (3) Post-spill Operations Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations 1.0.0
Incident Response IR-9 (4) Exposure to Unauthorized Personnel Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel 1.0.0
Maintenance MA-1 System Maintenance Policy and Procedures Microsoft Managed Control 1394 - System Maintenance Policy And Procedures 1.0.0
Maintenance MA-1 System Maintenance Policy and Procedures Microsoft Managed Control 1395 - System Maintenance Policy And Procedures 1.0.0
Maintenance MA-2 Controlled Maintenance Microsoft Managed Control 1396 - Controlled Maintenance 1.0.0
Maintenance MA-2 Controlled Maintenance Microsoft Managed Control 1397 - Controlled Maintenance 1.0.0
Maintenance MA-2 Controlled Maintenance Microsoft Managed Control 1398 - Controlled Maintenance 1.0.0
Maintenance MA-2 Controlled Maintenance Microsoft Managed Control 1399 - Controlled Maintenance 1.0.0
Maintenance MA-2 Controlled Maintenance Microsoft Managed Control 1400 - Controlled Maintenance 1.0.0
Maintenance MA-2 Controlled Maintenance Microsoft Managed Control 1401 - Controlled Maintenance 1.0.0
Maintenance MA-2 (2) Automated Maintenance Activities Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities 1.0.0
Maintenance MA-2 (2) Automated Maintenance Activities Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities 1.0.0
Maintenance MA-3 Maintenance Tools Microsoft Managed Control 1404 - Maintenance Tools 1.0.0
Maintenance MA-3 (1) Inspect Tools Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools 1.0.0
Maintenance MA-3 (2) Inspect Media Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media 1.0.0
Maintenance MA-3 (3) Prevent Unauthorized Removal Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal 1.0.0
Maintenance MA-3 (3) Prevent Unauthorized Removal Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal 1.0.0
Maintenance MA-3 (3) Prevent Unauthorized Removal Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal 1.0.0
Maintenance MA-3 (3) Prevent Unauthorized Removal Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal 1.0.0
Maintenance MA-4 Nonlocal Maintenance Microsoft Managed Control 1411 - Nonlocal Maintenance 1.0.0
Maintenance MA-4 Nonlocal Maintenance Microsoft Managed Control 1412 - Nonlocal Maintenance 1.0.0
Maintenance MA-4 Nonlocal Maintenance Microsoft Managed Control 1413 - Nonlocal Maintenance 1.0.0
Maintenance MA-4 Nonlocal Maintenance Microsoft Managed Control 1414 - Nonlocal Maintenance 1.0.0
Maintenance MA-4 Nonlocal Maintenance Microsoft Managed Control 1415 - Nonlocal Maintenance 1.0.0
Maintenance MA-4 (2) Document Nonlocal Maintenance Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance 1.0.0
Maintenance MA-4 (3) Comparable Security / Sanitization Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization 1.0.0
Maintenance MA-4 (3) Comparable Security / Sanitization Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization 1.0.0
Maintenance MA-4 (6) Cryptographic Protection Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection 1.0.0
Maintenance MA-5 Maintenance Personnel Microsoft Managed Control 1420 - Maintenance Personnel 1.0.0
Maintenance MA-5 Maintenance Personnel Microsoft Managed Control 1421 - Maintenance Personnel 1.0.0
Maintenance MA-5 Maintenance Personnel Microsoft Managed Control 1422 - Maintenance Personnel 1.0.0
Maintenance MA-5 (1) Individuals Without Appropriate Access Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access 1.0.0
Maintenance MA-5 (1) Individuals Without Appropriate Access Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access 1.0.0
Maintenance MA-6 Timely Maintenance Microsoft Managed Control 1425 - Timely Maintenance 1.0.0
Media Protection MP-1 Media Protection Policy and Procedures Microsoft Managed Control 1426 - Media Protection Policy And Procedures 1.0.0
Media Protection MP-1 Media Protection Policy and Procedures Microsoft Managed Control 1427 - Media Protection Policy And Procedures 1.0.0
Media Protection MP-2 Media Access Microsoft Managed Control 1428 - Media Access 1.0.0
Media Protection MP-3 Media Marking Microsoft Managed Control 1429 - Media Marking 1.0.0
Media Protection MP-3 Media Marking Microsoft Managed Control 1430 - Media Marking 1.0.0
Media Protection MP-4 Media Storage Microsoft Managed Control 1431 - Media Storage 1.0.0
Media Protection MP-4 Media Storage Microsoft Managed Control 1432 - Media Storage 1.0.0
Media Protection MP-5 Media Transport Microsoft Managed Control 1433 - Media Transport 1.0.0
Media Protection MP-5 Media Transport Microsoft Managed Control 1434 - Media Transport 1.0.0
Media Protection MP-5 Media Transport Microsoft Managed Control 1435 - Media Transport 1.0.0
Media Protection MP-5 Media Transport Microsoft Managed Control 1436 - Media Transport 1.0.0
Media Protection MP-5 (4) Cryptographic Protection Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection 1.0.0
Media Protection MP-6 Media Sanitization Microsoft Managed Control 1438 - Media Sanitization 1.0.0
Media Protection MP-6 Media Sanitization Microsoft Managed Control 1439 - Media Sanitization 1.0.0
Media Protection MP-6 (1) Review / Approve / Track / Document / Verify Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify 1.0.0
Media Protection MP-6 (2) Equipment Testing Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing 1.0.0
Media Protection MP-6 (3) Nondestructive Techniques Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques 1.0.0
Media Protection MP-7 Media Use Microsoft Managed Control 1443 - Media Use 1.0.0
Media Protection MP-7 (1) Prohibit Use Without Owner Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner 1.0.0
Physical and Environmental Protection PE-1 Physical and Environmental Protection Policy and Procedures Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures 1.0.0
Physical and Environmental Protection PE-1 Physical and Environmental Protection Policy and Procedures Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures 1.0.0
Physical and Environmental Protection PE-2 Physical Access Authorizations Microsoft Managed Control 1447 - Physical Access Authorizations 1.0.0
Physical and Environmental Protection PE-2 Physical Access Authorizations Microsoft Managed Control 1448 - Physical Access Authorizations 1.0.0
Physical and Environmental Protection PE-2 Physical Access Authorizations Microsoft Managed Control 1449 - Physical Access Authorizations 1.0.0
Physical and Environmental Protection PE-2 Physical Access Authorizations Microsoft Managed Control 1450 - Physical Access Authorizations 1.0.0
Physical and Environmental Protection PE-3 Physical Access Control Microsoft Managed Control 1451 - Physical Access Control 1.0.0
Physical and Environmental Protection PE-3 Physical Access Control Microsoft Managed Control 1452 - Physical Access Control 1.0.0
Physical and Environmental Protection PE-3 Physical Access Control Microsoft Managed Control 1453 - Physical Access Control 1.0.0
Physical and Environmental Protection PE-3 Physical Access Control Microsoft Managed Control 1454 - Physical Access Control 1.0.0
Physical and Environmental Protection PE-3 Physical Access Control Microsoft Managed Control 1455 - Physical Access Control 1.0.0
Physical and Environmental Protection PE-3 Physical Access Control Microsoft Managed Control 1456 - Physical Access Control 1.0.0
Physical and Environmental Protection PE-3 Physical Access Control Microsoft Managed Control 1457 - Physical Access Control 1.0.0
Physical and Environmental Protection PE-3 (1) Information System Access Microsoft Managed Control 1458 - Physical Access Control | Information System Access 1.0.0
Physical and Environmental Protection PE-4 Access Control for Transmission Medium Microsoft Managed Control 1459 - Access Control For Transmission Medium 1.0.0
Physical and Environmental Protection PE-5 Access Control for Output Devices Microsoft Managed Control 1460 - Access Control For Output Devices 1.0.0
Physical and Environmental Protection PE-6 Monitoring Physical Access Microsoft Managed Control 1461 - Monitoring Physical Access 1.0.0
Physical and Environmental Protection PE-6 Monitoring Physical Access Microsoft Managed Control 1462 - Monitoring Physical Access 1.0.0
Physical and Environmental Protection PE-6 Monitoring Physical Access Microsoft Managed Control 1463 - Monitoring Physical Access 1.0.0
Physical and Environmental Protection PE-6 (1) Intrusion Alarms / Surveillance Equipment Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment 1.0.0
Physical and Environmental Protection PE-6 (4) Monitoring Physical Access to Information Systems Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems 1.0.0
Physical and Environmental Protection PE-8 Visitor Access Records Microsoft Managed Control 1466 - Visitor Access Records 1.0.0
Physical and Environmental Protection PE-8 Visitor Access Records Microsoft Managed Control 1467 - Visitor Access Records 1.0.0
Physical and Environmental Protection PE-8 (1) Automated Records Maintenance / Review Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review 1.0.0
Physical and Environmental Protection PE-9 Power Equipment and Cabling Microsoft Managed Control 1469 - Power Equipment And Cabling 1.0.0
Physical and Environmental Protection PE-10 Emergency Shutoff Microsoft Managed Control 1470 - Emergency Shutoff 1.0.0
Physical and Environmental Protection PE-10 Emergency Shutoff Microsoft Managed Control 1471 - Emergency Shutoff 1.0.0
Physical and Environmental Protection PE-10 Emergency Shutoff Microsoft Managed Control 1472 - Emergency Shutoff 1.0.0
Physical and Environmental Protection PE-11 Emergency Power Microsoft Managed Control 1473 - Emergency Power 1.0.0
Physical and Environmental Protection PE-11 (1) Long-term Alternate Power Supply - Minimal Operational Capability Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability 1.0.0
Physical and Environmental Protection PE-12 Emergency Lighting Microsoft Managed Control 1475 - Emergency Lighting 1.0.0
Physical and Environmental Protection PE-13 Fire Protection Microsoft Managed Control 1476 - Fire Protection 1.0.0
Physical and Environmental Protection PE-13 (1) Detection Devices / Systems Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems 1.0.0
Physical and Environmental Protection PE-13 (2) Suppression Devices / Systems Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems 1.0.0
Physical and Environmental Protection PE-13 (3) Automatic Fire Suppression Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression 1.0.0
Physical and Environmental Protection PE-14 Temperature and Humidity Controls Microsoft Managed Control 1480 - Temperature And Humidity Controls 1.0.0
Physical and Environmental Protection PE-14 Temperature and Humidity Controls Microsoft Managed Control 1481 - Temperature And Humidity Controls 1.0.0
Physical and Environmental Protection PE-14 (2) Monitoring with Alarms / Notifications Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications 1.0.0
Physical and Environmental Protection PE-15 Water Damage Protection Microsoft Managed Control 1483 - Water Damage Protection 1.0.0
Physical and Environmental Protection PE-15 (1) Automation Support Microsoft Managed Control 1484 - Water Damage Protection | Automation Support 1.0.0
Physical and Environmental Protection PE-16 Delivery and Removal Microsoft Managed Control 1485 - Delivery And Removal 1.0.0
Physical and Environmental Protection PE-17 Alternate Work Site Microsoft Managed Control 1486 - Alternate Work Site 1.0.0
Physical and Environmental Protection PE-17 Alternate Work Site Microsoft Managed Control 1487 - Alternate Work Site 1.0.0
Physical and Environmental Protection PE-17 Alternate Work Site Microsoft Managed Control 1488 - Alternate Work Site 1.0.0
Physical and Environmental Protection PE-18 Location of Information System Components Microsoft Managed Control 1489 - Location Of Information System Components 1.0.0
Planning PL-1 Security Planning Policy and Procedures Microsoft Managed Control 1490 - Security Planning Policy And Procedures 1.0.0
Planning PL-1 Security Planning Policy and Procedures Microsoft Managed Control 1491 - Security Planning Policy And Procedures 1.0.0
Planning PL-2 System Security Plan Microsoft Managed Control 1492 - System Security Plan 1.0.0
Planning PL-2 System Security Plan Microsoft Managed Control 1493 - System Security Plan 1.0.0
Planning PL-2 System Security Plan Microsoft Managed Control 1494 - System Security Plan 1.0.0
Planning PL-2 System Security Plan Microsoft Managed Control 1495 - System Security Plan 1.0.0
Planning PL-2 System Security Plan Microsoft Managed Control 1496 - System Security Plan 1.0.0
Planning PL-2 (3) Plan / Coordinate with Other Organizational Entities Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities 1.0.0
Planning PL-4 Rules of Behavior Microsoft Managed Control 1498 - Rules Of Behavior 1.0.0
Planning PL-4 Rules of Behavior Microsoft Managed Control 1499 - Rules Of Behavior 1.0.0
Planning PL-4 Rules of Behavior Microsoft Managed Control 1500 - Rules Of Behavior 1.0.0
Planning PL-4 Rules of Behavior Microsoft Managed Control 1501 - Rules Of Behavior 1.0.0
Planning PL-4 (1) Social Media and Networking Restrictions Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions 1.0.0
Planning PL-8 Information Security Architecture Microsoft Managed Control 1503 - Information Security Architecture 1.0.0
Planning PL-8 Information Security Architecture Microsoft Managed Control 1504 - Information Security Architecture 1.0.0
Planning PL-8 Information Security Architecture Microsoft Managed Control 1505 - Information Security Architecture 1.0.0
Personnel Security PS-1 Personnel Security Policy and Procedures Microsoft Managed Control 1506 - Personnel Security Policy And Procedures 1.0.0
Personnel Security PS-1 Personnel Security Policy and Procedures Microsoft Managed Control 1507 - Personnel Security Policy And Procedures 1.0.0
Personnel Security PS-2 Position Risk Designation Microsoft Managed Control 1508 - Position Risk Designation 1.0.0
Personnel Security PS-2 Position Risk Designation Microsoft Managed Control 1509 - Position Risk Designation 1.0.0
Personnel Security PS-2 Position Risk Designation Microsoft Managed Control 1510 - Position Risk Designation 1.0.0
Personnel Security PS-3 Personnel Screening Microsoft Managed Control 1511 - Personnel Screening 1.0.0
Personnel Security PS-3 Personnel Screening Microsoft Managed Control 1512 - Personnel Screening 1.0.0
Personnel Security PS-3 (3) Information with Special Protection Measures Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures 1.0.0
Personnel Security PS-3 (3) Information with Special Protection Measures Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures 1.0.0
Personnel Security PS-4 Personnel Termination Microsoft Managed Control 1515 - Personnel Termination 1.0.0
Personnel Security PS-4 Personnel Termination Microsoft Managed Control 1516 - Personnel Termination 1.0.0
Personnel Security PS-4 Personnel Termination Microsoft Managed Control 1517 - Personnel Termination 1.0.0
Personnel Security PS-4 Personnel Termination Microsoft Managed Control 1518 - Personnel Termination 1.0.0
Personnel Security PS-4 Personnel Termination Microsoft Managed Control 1519 - Personnel Termination 1.0.0
Personnel Security PS-4 Personnel Termination Microsoft Managed Control 1520 - Personnel Termination 1.0.0
Personnel Security PS-4 (2) Automated Notification Microsoft Managed Control 1521 - Personnel Termination | Automated Notification 1.0.0
Personnel Security PS-5 Personnel Transfer Microsoft Managed Control 1522 - Personnel Transfer 1.0.0
Personnel Security PS-5 Personnel Transfer Microsoft Managed Control 1523 - Personnel Transfer 1.0.0
Personnel Security PS-5 Personnel Transfer Microsoft Managed Control 1524 - Personnel Transfer 1.0.0
Personnel Security PS-5 Personnel Transfer Microsoft Managed Control 1525 - Personnel Transfer 1.0.0
Personnel Security PS-6 Access Agreements Microsoft Managed Control 1526 - Access Agreements 1.0.0
Personnel Security PS-6 Access Agreements Microsoft Managed Control 1527 - Access Agreements 1.0.0
Personnel Security PS-6 Access Agreements Microsoft Managed Control 1528 - Access Agreements 1.0.0
Personnel Security PS-7 Third-party Personnel Security Microsoft Managed Control 1529 - Third-Party Personnel Security 1.0.0
Personnel Security PS-7 Third-party Personnel Security Microsoft Managed Control 1530 - Third-Party Personnel Security 1.0.0
Personnel Security PS-7 Third-party Personnel Security Microsoft Managed Control 1531 - Third-Party Personnel Security 1.0.0
Personnel Security PS-7 Third-party Personnel Security Microsoft Managed Control 1532 - Third-Party Personnel Security 1.0.0
Personnel Security PS-7 Third-party Personnel Security Microsoft Managed Control 1533 - Third-Party Personnel Security 1.0.0
Personnel Security PS-8 Personnel Sanctions Microsoft Managed Control 1534 - Personnel Sanctions 1.0.0
Personnel Security PS-8 Personnel Sanctions Microsoft Managed Control 1535 - Personnel Sanctions 1.0.0
Risk Assessment RA-1 Risk Assessment Policy and Procedures Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures 1.0.0
Risk Assessment RA-1 Risk Assessment Policy and Procedures Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures 1.0.0
Risk Assessment RA-2 Security Categorization Microsoft Managed Control 1538 - Security Categorization 1.0.0
Risk Assessment RA-2 Security Categorization Microsoft Managed Control 1539 - Security Categorization 1.0.0
Risk Assessment RA-2 Security Categorization Microsoft Managed Control 1540 - Security Categorization 1.0.0
Risk Assessment RA-3 Risk Assessment Microsoft Managed Control 1541 - Risk Assessment 1.0.0
Risk Assessment RA-3 Risk Assessment Microsoft Managed Control 1542 - Risk Assessment 1.0.0
Risk Assessment RA-3 Risk Assessment Microsoft Managed Control 1543 - Risk Assessment 1.0.0
Risk Assessment RA-3 Risk Assessment Microsoft Managed Control 1544 - Risk Assessment 1.0.0
Risk Assessment RA-3 Risk Assessment Microsoft Managed Control 1545 - Risk Assessment 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for App Service should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for container registries should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for DNS should be enabled 1.0.0-preview
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Key Vault should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Kubernetes should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Resource Manager should be enabled 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for servers should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL servers on machines should be enabled 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for Storage should be enabled 1.0.3
Risk Assessment RA-5 Vulnerability Scanning Microsoft Managed Control 1546 - Vulnerability Scanning 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Microsoft Managed Control 1547 - Vulnerability Scanning 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Microsoft Managed Control 1548 - Vulnerability Scanning 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Microsoft Managed Control 1549 - Vulnerability Scanning 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Microsoft Managed Control 1550 - Vulnerability Scanning 1.0.0
Risk Assessment RA-5 (1) Update Tool Capability Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability 1.0.0
Risk Assessment RA-5 (2) Update by Frequency / Prior to New Scan / When Identified Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified 1.0.0
Risk Assessment RA-5 (3) Breadth / Depth of Coverage Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage 1.0.0
Risk Assessment RA-5 (4) Discoverable Information Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information 1.0.0
Risk Assessment RA-5 (5) Privileged Access Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access 1.0.0
Risk Assessment RA-5 (6) Automated Trend Analyses Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses 1.0.0
Risk Assessment RA-5 (8) Review Historic Audit Logs Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs 1.0.0
Risk Assessment RA-5 (10) Correlate Scanning Information Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information 1.0.0
System and Services Acquisition SA-1 System and Services Acquisition Policy and Procedures Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures 1.0.0
System and Services Acquisition SA-1 System and Services Acquisition Policy and Procedures Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures 1.0.0
System and Services Acquisition SA-2 Allocation of Resources Microsoft Managed Control 1561 - Allocation Of Resources 1.0.0
System and Services Acquisition SA-2 Allocation of Resources Microsoft Managed Control 1562 - Allocation Of Resources 1.0.0
System and Services Acquisition SA-2 Allocation of Resources Microsoft Managed Control 1563 - Allocation Of Resources 1.0.0
System and Services Acquisition SA-3 System Development Life Cycle Microsoft Managed Control 1564 - System Development Life Cycle 1.0.0
System and Services Acquisition SA-3 System Development Life Cycle Microsoft Managed Control 1565 - System Development Life Cycle 1.0.0
System and Services Acquisition SA-3 System Development Life Cycle Microsoft Managed Control 1566 - System Development Life Cycle 1.0.0
System and Services Acquisition SA-3 System Development Life Cycle Microsoft Managed Control 1567 - System Development Life Cycle 1.0.0
System and Services Acquisition SA-4 Acquisition Process Microsoft Managed Control 1568 - Acquisition Process 1.0.0
System and Services Acquisition SA-4 Acquisition Process Microsoft Managed Control 1569 - Acquisition Process 1.0.0
System and Services Acquisition SA-4 Acquisition Process Microsoft Managed Control 1570 - Acquisition Process 1.0.0
System and Services Acquisition SA-4 Acquisition Process Microsoft Managed Control 1571 - Acquisition Process 1.0.0
System and Services Acquisition SA-4 Acquisition Process Microsoft Managed Control 1572 - Acquisition Process 1.0.0
System and Services Acquisition SA-4 Acquisition Process Microsoft Managed Control 1573 - Acquisition Process 1.0.0
System and Services Acquisition SA-4 Acquisition Process Microsoft Managed Control 1574 - Acquisition Process 1.0.0
System and Services Acquisition SA-4 (1) Functional Properties of Security Controls Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls 1.0.0
System and Services Acquisition SA-4 (2) Design / Implementation Information for Security Controls Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls 1.0.0
System and Services Acquisition SA-4 (8) Continuous Monitoring Plan Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan 1.0.0
System and Services Acquisition SA-4 (9) Functions / Ports / Protocols / Services in Use Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use 1.0.0
System and Services Acquisition SA-4 (10) Use of Approved PIV Products Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products 1.0.0
System and Services Acquisition SA-5 Information System Documentation Microsoft Managed Control 1580 - Information System Documentation 1.0.0
System and Services Acquisition SA-5 Information System Documentation Microsoft Managed Control 1581 - Information System Documentation 1.0.0
System and Services Acquisition SA-5 Information System Documentation Microsoft Managed Control 1582 - Information System Documentation 1.0.0
System and Services Acquisition SA-5 Information System Documentation Microsoft Managed Control 1583 - Information System Documentation 1.0.0
System and Services Acquisition SA-5 Information System Documentation Microsoft Managed Control 1584 - Information System Documentation 1.0.0
System and Services Acquisition SA-8 Security Engineering Principles Microsoft Managed Control 1585 - Security Engineering Principles 1.0.0
System and Services Acquisition SA-9 External Information System Services Microsoft Managed Control 1586 - External Information System Services 1.0.0
System and Services Acquisition SA-9 External Information System Services Microsoft Managed Control 1587 - External Information System Services 1.0.0
System and Services Acquisition SA-9 External Information System Services Microsoft Managed Control 1588 - External Information System Services 1.0.0
System and Services Acquisition SA-9 (1) Risk Assessments / Organizational Approvals Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals 1.0.0
System and Services Acquisition SA-9 (1) Risk Assessments / Organizational Approvals Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals 1.0.0
System and Services Acquisition SA-9 (2) Identification of Functions / Ports / Protocols / Services Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services 1.0.0
System and Services Acquisition SA-9 (4) Consistent Interests of Consumers and Providers Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers 1.0.0
System and Services Acquisition SA-9 (5) Processing, Storage, and Service Location Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location 1.0.0
System and Services Acquisition SA-10 Developer Configuration Management Microsoft Managed Control 1594 - Developer Configuration Management 1.0.0
System and Services Acquisition SA-10 Developer Configuration Management Microsoft Managed Control 1595 - Developer Configuration Management 1.0.0
System and Services Acquisition SA-10 Developer Configuration Management Microsoft Managed Control 1596 - Developer Configuration Management 1.0.0
System and Services Acquisition SA-10 Developer Configuration Management Microsoft Managed Control 1597 - Developer Configuration Management 1.0.0
System and Services Acquisition SA-10 Developer Configuration Management Microsoft Managed Control 1598 - Developer Configuration Management 1.0.0
System and Services Acquisition SA-10 (1) Software / Firmware Integrity Verification Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification 1.0.0
System and Services Acquisition SA-11 Developer Security Testing and Evaluation Microsoft Managed Control 1600 - Developer Security Testing And Evaluation 1.0.0
System and Services Acquisition SA-11 Developer Security Testing and Evaluation Microsoft Managed Control 1601 - Developer Security Testing And Evaluation 1.0.0
System and Services Acquisition SA-11 Developer Security Testing and Evaluation Microsoft Managed Control 1602 - Developer Security Testing And Evaluation 1.0.0
System and Services Acquisition SA-11 Developer Security Testing and Evaluation Microsoft Managed Control 1603 - Developer Security Testing And Evaluation 1.0.0
System and Services Acquisition SA-11 Developer Security Testing and Evaluation Microsoft Managed Control 1604 - Developer Security Testing And Evaluation 1.0.0
System and Services Acquisition SA-11 (1) Static Code Analysis Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis 1.0.0
System and Services Acquisition SA-11 (2) Threat and Vulnerability Analyses Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses 1.0.0
System and Services Acquisition SA-11 (8) Dynamic Code Analysis Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis 1.0.0
System and Services Acquisition SA-12 Supply Chain Protection Microsoft Managed Control 1608 - Supply Chain Protection 1.0.0
System and Services Acquisition SA-15 Development Process, Standards, and Tools Microsoft Managed Control 1609 - Development Process, Standards, And Tools 1.0.0
System and Services Acquisition SA-15 Development Process, Standards, and Tools Microsoft Managed Control 1610 - Development Process, Standards, And Tools 1.0.0
System and Services Acquisition SA-16 Developer-provided Training Microsoft Managed Control 1611 - Developer-Provided Training 1.0.0
System and Services Acquisition SA-17 Developer Security Architecture and Design Microsoft Managed Control 1612 - Developer Security Architecture And Design 1.0.0
System and Services Acquisition SA-17 Developer Security Architecture and Design Microsoft Managed Control 1613 - Developer Security Architecture And Design 1.0.0
System and Services Acquisition SA-17 Developer Security Architecture and Design Microsoft Managed Control 1614 - Developer Security Architecture And Design 1.0.0
System and Communications Protection SC-1 System and Communications Protection Policy and Procedures Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures 1.0.0
System and Communications Protection SC-1 System and Communications Protection Policy and Procedures Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures 1.0.0
System and Communications Protection SC-2 Application Partitioning Microsoft Managed Control 1617 - Application Partitioning 1.0.0
System and Communications Protection SC-3 Security Function Isolation Azure Defender for servers should be enabled 1.0.3
System and Communications Protection SC-3 Security Function Isolation Microsoft Managed Control 1618 - Security Function Isolation 1.0.0
System and Communications Protection SC-4 Information in Shared Resources Microsoft Managed Control 1619 - Information In Shared Resources 1.0.0
System and Communications Protection SC-5 Denial of Service Protection Microsoft Managed Control 1620 - Denial Of Service Protection 1.0.0
System and Communications Protection SC-6 Resource Availability Microsoft Managed Control 1621 - Resource Availability 1.0.0
System and Communications Protection SC-7 Boundary Protection Microsoft Managed Control 1622 - Boundary Protection 1.0.0
System and Communications Protection SC-7 Boundary Protection Microsoft Managed Control 1623 - Boundary Protection 1.0.0
System and Communications Protection SC-7 Boundary Protection Microsoft Managed Control 1624 - Boundary Protection 1.0.0
System and Communications Protection SC-7 (3) Access Points Microsoft Managed Control 1625 - Boundary Protection | Access Points 1.0.0
System and Communications Protection SC-7 (4) External Telecommunications Services Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services 1.0.0
System and Communications Protection SC-7 (4) External Telecommunications Services Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services 1.0.0
System and Communications Protection SC-7 (4) External Telecommunications Services Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services 1.0.0
System and Communications Protection SC-7 (4) External Telecommunications Services Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services 1.0.0
System and Communications Protection SC-7 (4) External Telecommunications Services Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services 1.0.0
System and Communications Protection SC-7 (5) Deny by Default / Allow by Exception Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception 1.0.0
System and Communications Protection SC-7 (7) Prevent Split Tunneling for Remote Devices Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices 1.0.0
System and Communications Protection SC-7 (8) Route Traffic to Authenticated Proxy Servers Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers 1.0.0
System and Communications Protection SC-7 (10) Prevent Unauthorized Exfiltration Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration 1.0.0
System and Communications Protection SC-7 (12) Host-based Protection Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection 1.0.0
System and Communications Protection SC-7 (13) Isolation of Security Tools / Mechanisms / Support Components Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components 1.0.0
System and Communications Protection SC-7 (18) Fail Secure Microsoft Managed Control 1637 - Boundary Protection | Fail Secure 1.0.0
System and Communications Protection SC-7 (20) Dynamic Isolation / Segregation Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation 1.0.0
System and Communications Protection SC-7 (21) Isolation of Information System Components Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components 1.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity 1.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection 1.0.0
System and Communications Protection SC-10 Network Disconnect Microsoft Managed Control 1642 - Network Disconnect 1.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management 1.0.0
System and Communications Protection SC-12 (1) Availability Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability 1.0.0
System and Communications Protection SC-12 (2) Symmetric Keys Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys 1.0.0
System and Communications Protection SC-12 (3) Asymmetric Keys Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys 1.0.0
System and Communications Protection SC-13 Cryptographic Protection Microsoft Managed Control 1647 - Cryptographic Protection 1.0.0
System and Communications Protection SC-15 Collaborative Computing Devices Microsoft Managed Control 1648 - Collaborative Computing Devices 1.0.0
System and Communications Protection SC-15 Collaborative Computing Devices Microsoft Managed Control 1649 - Collaborative Computing Devices 1.0.0
System and Communications Protection SC-17 Public Key Infrastructure Certificates Microsoft Managed Control 1650 - Public Key Infrastructure Certificates 1.0.0
System and Communications Protection SC-18 Mobile Code Microsoft Managed Control 1651 - Mobile Code 1.0.0
System and Communications Protection SC-18 Mobile Code Microsoft Managed Control 1652 - Mobile Code 1.0.0
System and Communications Protection SC-18 Mobile Code Microsoft Managed Control 1653 - Mobile Code 1.0.0
System and Communications Protection SC-19 Voice Over Internet Protocol Microsoft Managed Control 1654 - Voice Over Internet Protocol 1.0.0
System and Communications Protection SC-19 Voice Over Internet Protocol Microsoft Managed Control 1655 - Voice Over Internet Protocol 1.0.0
System and Communications Protection SC-20 Secure Name / Address Resolution Service (authoritative Source) Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source) 1.0.0
System and Communications Protection SC-20 Secure Name / Address Resolution Service (authoritative Source) Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source) 1.0.0
System and Communications Protection SC-21 Secure Name / Address Resolution Service (recursive or Caching Resolver) Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver) 1.0.0
System and Communications Protection SC-22 Architecture and Provisioning for Name / Address Resolution Service Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service 1.0.0
System and Communications Protection SC-23 Session Authenticity Microsoft Managed Control 1660 - Session Authenticity 1.0.0
System and Communications Protection SC-23 (1) Invalidate Session Identifiers at Logout Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout 1.0.0
System and Communications Protection SC-24 Fail in Known State Microsoft Managed Control 1662 - Fail In Known State 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest Microsoft Managed Control 1663 - Protection Of Information At Rest 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection 1.0.0
System and Communications Protection SC-39 Process Isolation Microsoft Managed Control 1665 - Process Isolation 1.0.0
System and Information Integrity SI-1 System and Information Integrity Policy and Procedures Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures 1.0.0
System and Information Integrity SI-1 System and Information Integrity Policy and Procedures Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures 1.0.0
System and Information Integrity SI-2 Flaw Remediation Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI-2 Flaw Remediation Azure Defender for container registries should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for DNS should be enabled 1.0.0-preview
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Kubernetes should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Resource Manager should be enabled 1.0.0
System and Information Integrity SI-2 Flaw Remediation Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI-2 Flaw Remediation Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI-2 Flaw Remediation Microsoft Managed Control 1668 - Flaw Remediation 1.0.0
System and Information Integrity SI-2 Flaw Remediation Microsoft Managed Control 1669 - Flaw Remediation 1.0.0
System and Information Integrity SI-2 Flaw Remediation Microsoft Managed Control 1670 - Flaw Remediation 1.0.0
System and Information Integrity SI-2 Flaw Remediation Microsoft Managed Control 1671 - Flaw Remediation 1.0.0
System and Information Integrity SI-2 (1) Central Management Microsoft Managed Control 1672 - Flaw Remediation | Central Management 1.0.0
System and Information Integrity SI-2 (2) Automated Flaw Remediation Status Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status 1.0.0
System and Information Integrity SI-2 (3) Time to Remediate Flaws / Benchmarks for Corrective Actions Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions 1.0.0
System and Information Integrity SI-2 (3) Time to Remediate Flaws / Benchmarks for Corrective Actions Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions 1.0.0
System and Information Integrity SI-3 Malicious Code Protection Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-3 Malicious Code Protection Microsoft Managed Control 1676 - Malicious Code Protection 1.0.0
System and Information Integrity SI-3 Malicious Code Protection Microsoft Managed Control 1677 - Malicious Code Protection 1.0.0
System and Information Integrity SI-3 Malicious Code Protection Microsoft Managed Control 1678 - Malicious Code Protection 1.0.0
System and Information Integrity SI-3 Malicious Code Protection Microsoft Managed Control 1679 - Malicious Code Protection 1.0.0
System and Information Integrity SI-3 (1) Central Management Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-3 (1) Central Management Microsoft Managed Control 1680 - Malicious Code Protection | Central Management 1.0.0
System and Information Integrity SI-3 (2) Automatic Updates Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates 1.0.0
System and Information Integrity SI-3 (7) Nonsignature-based Detection Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection 1.0.0
System and Information Integrity SI-4 Information System Monitoring Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
System and Information Integrity SI-4 Information System Monitoring Azure Defender for App Service should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Azure SQL Database servers should be enabled 1.0.2
System and Information Integrity SI-4 Information System Monitoring Azure Defender for container registries should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for DNS should be enabled 1.0.0-preview
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Key Vault should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Kubernetes should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Resource Manager should be enabled 1.0.0
System and Information Integrity SI-4 Information System Monitoring Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL servers on machines should be enabled 1.0.2
System and Information Integrity SI-4 Information System Monitoring Azure Defender for Storage should be enabled 1.0.3
System and Information Integrity SI-4 Information System Monitoring Microsoft Managed Control 1683 - Information System Monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Microsoft Managed Control 1684 - Information System Monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Microsoft Managed Control 1685 - Information System Monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Microsoft Managed Control 1686 - Information System Monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Microsoft Managed Control 1687 - Information System Monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Microsoft Managed Control 1688 - Information System Monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Microsoft Managed Control 1689 - Information System Monitoring 1.0.0
System and Information Integrity SI-4 (1) System-wide Intrusion Detection System Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System 1.0.0
System and Information Integrity SI-4 (2) Automated Tools for Real-time Analysis Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis 1.0.0
System and Information Integrity SI-4 (4) Inbound and Outbound Communications Traffic Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic 1.0.0
System and Information Integrity SI-4 (5) System-generated Alerts Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts 1.0.0
System and Information Integrity SI-4 (11) Analyze Communications Traffic Anomalies Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies 1.0.0
System and Information Integrity SI-4 (12) Automated Alerts Email notification for high severity alerts should be enabled 1.0.1
System and Information Integrity SI-4 (12) Automated Alerts Email notification to subscription owner for high severity alerts should be enabled 2.0.0
System and Information Integrity SI-4 (12) Automated Alerts Subscriptions should have a contact email address for security issues 1.0.1
System and Information Integrity SI-4 (14) Wireless Intrusion Detection Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection 1.0.0
System and Information Integrity SI-4 (16) Correlate Monitoring Information Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information 1.0.0
System and Information Integrity SI-4 (18) Analyze Traffic / Covert Exfiltration Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration 1.0.0
System and Information Integrity SI-4 (19) Individuals Posing Greater Risk Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk 1.0.0
System and Information Integrity SI-4 (20) Privileged Users Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users 1.0.0
System and Information Integrity SI-4 (22) Unauthorized Network Services Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services 1.0.0
System and Information Integrity SI-4 (23) Host-based Devices Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices 1.0.0
System and Information Integrity SI-4 (24) Indicators of Compromise Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise 1.0.0
System and Information Integrity SI-5 Security Alerts, Advisories, and Directives Microsoft Managed Control 1703 - Security Alerts, Advisories, And Directives 1.0.0
System and Information Integrity SI-5 Security Alerts, Advisories, and Directives Microsoft Managed Control 1704 - Security Alerts, Advisories, And Directives 1.0.0
System and Information Integrity SI-5 Security Alerts, Advisories, and Directives Microsoft Managed Control 1705 - Security Alerts, Advisories, And Directives 1.0.0
System and Information Integrity SI-5 Security Alerts, Advisories, and Directives Microsoft Managed Control 1706 - Security Alerts, Advisories, And Directives 1.0.0
System and Information Integrity SI-5 (1) Automated Alerts and Advisories Microsoft Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories 1.0.0
System and Information Integrity SI-6 Security Function Verification Microsoft Managed Control 1708 - Security Function Verification 1.0.0
System and Information Integrity SI-6 Security Function Verification Microsoft Managed Control 1709 - Security Function Verification 1.0.0
System and Information Integrity SI-6 Security Function Verification Microsoft Managed Control 1710 - Security Function Verification 1.0.0
System and Information Integrity SI-6 Security Function Verification Microsoft Managed Control 1711 - Security Function Verification 1.0.0
System and Information Integrity SI-7 Software, Firmware, and Information Integrity Microsoft Managed Control 1712 - Software, Firmware, And Information Integrity 1.0.0
System and Information Integrity SI-7 (1) Integrity Checks Microsoft Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity Checks 1.0.0
System and Information Integrity SI-7 (2) Automated Notifications of Integrity Violations Microsoft Managed Control 1714 - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations 1.0.0
System and Information Integrity SI-7 (5) Automated Response to Integrity Violations Microsoft Managed Control 1715 - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations 1.0.0
System and Information Integrity SI-7 (7) Integration of Detection and Response Microsoft Managed Control 1716 - Software, Firmware, And Information Integrity | Integration Of Detection And Response 1.0.0
System and Information Integrity SI-7 (14) Binary or Machine Executable Code Microsoft Managed Control 1717 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code 1.0.0
System and Information Integrity SI-7 (14) Binary or Machine Executable Code Microsoft Managed Control 1718 - Software, Firmware, And Information Integrity | Binary Or Machine Executable Code 1.0.0
System and Information Integrity SI-8 Spam Protection Microsoft Managed Control 1719 - Spam Protection 1.0.0
System and Information Integrity SI-8 Spam Protection Microsoft Managed Control 1720 - Spam Protection 1.0.0
System and Information Integrity SI-8 (1) Central Management Microsoft Managed Control 1721 - Spam Protection | Central Management 1.0.0
System and Information Integrity SI-8 (2) Automatic Updates Microsoft Managed Control 1722 - Spam Protection | Automatic Updates 1.0.0
System and Information Integrity SI-10 Information Input Validation Microsoft Managed Control 1723 - Information Input Validation 1.0.0
System and Information Integrity SI-11 Error Handling Microsoft Managed Control 1724 - Error Handling 1.0.0
System and Information Integrity SI-11 Error Handling Microsoft Managed Control 1725 - Error Handling 1.0.0
System and Information Integrity SI-12 Information Handling and Retention Microsoft Managed Control 1726 - Information Handling And Retention 1.0.0
System and Information Integrity SI-16 Memory Protection Azure Defender for servers should be enabled 1.0.3
System and Information Integrity SI-16 Memory Protection Microsoft Managed Control 1727 - Memory Protection 1.0.0

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts should be removed from your subscription 3.0.0
Access Control AC-2 Account Management Deprecated accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with owner permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with read permissions should be removed from your subscription 3.0.0
Access Control AC-2 Account Management External accounts with write permissions should be removed from your subscription 3.0.0
Access Control AC-2 (7) Privileged User Accounts Service principals should be used to protect your subscriptions instead of management certificates 1.0.0
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for App Service should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for container registries should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for DNS should be enabled 1.0.0-preview
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for Key Vault should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for Kubernetes should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for Resource Manager should be enabled 1.0.0
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for servers should be enabled 1.0.3
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for SQL servers on machines should be enabled 1.0.2
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for Storage should be enabled 1.0.3
Access Control AC-3 Access Enforcement MFA should be enabled accounts with write permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with owner permissions on your subscription 3.0.0
Access Control AC-3 Access Enforcement MFA should be enabled on accounts with read permissions on your subscription 3.0.0
Access Control AC-5 Separation of Duties There should be more than one owner assigned to your subscription 3.0.0
Access Control AC-6 Least Privilege A maximum of 3 owners should be designated for your subscription 3.0.0
Access Control AC-6 (7) Review of User Privileges A maximum of 3 owners should be designated for your subscription 3.0.0
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-12 Audit Record Generation Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-12 Audit Record Generation Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-12 Audit Record Generation Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-12 Audit Record Generation Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-12 Audit Record Generation Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-12 Audit Record Generation Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-12 Audit Record Generation Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-12 Audit Record Generation Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-12 Audit Record Generation Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-12 Audit Record Generation Azure Defender for SQL servers on machines should be enabled 1.0.2
Audit and Accountability AU-12 Audit Record Generation Azure Defender for Storage should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Auto provisioning of the Log Analytics agent should be enabled on your subscription 1.0.1
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for App Service should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for Azure SQL Database servers should be enabled 1.0.2
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for container registries should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for DNS should be enabled 1.0.0-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for Key Vault should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for Kubernetes should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for Resource Manager should be enabled 1.0.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for servers should be enabled 1.0.3
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail