Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative
Article 02/24/2025
7 contributors
Feedback
In this article
Privilege Management
User Identification and Authentication
01 Information Protection Program
02 Endpoint Protection
03 Portable Media Security
04 Mobile Device Security
Identification of Risks Related to External Parties
05 Wireless Security
06 Configuration Management
07 Vulnerability Management
08 Network Protection
Back-up
Network Controls
On-line Transactions
09 Transmission Protection
10 Password Management
11 Access Control
12 Audit Logging & Monitoring
13 Education, Training and Awareness
14 Third Party Assurance
15 Incident Management
16 Business Continuity & Disaster Recovery
17 Risk Management
18 Physical & Environmental Security
19 Data Protection & Privacy
Next steps
Show 22 more
The following article details how the Azure Policy Regulatory Compliance built-in initiative
definition maps to compliance domains and controls in HIPAA HITRUST 9.2.
For more information about this compliance standard, see
HIPAA HITRUST 9.2 . To understand
Ownership , review the policy type and
Shared responsibility in the cloud .
The following mappings are to the HIPAA HITRUST 9.2 controls. Many of the controls
are implemented with an Azure Policy initiative definition. To review the complete
initiative definition, open Policy in the Azure portal and select the Definitions page.
Then, find and select the HITRUST/HIPAA Regulatory Compliance built-in
initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions.
These policies may help you assess compliance with the
control; however, there often is not a one-to-one or complete match between a control and one or
more policies. As such, Compliant in Azure Policy refers only to the policy definitions
themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
addition, the compliance standard includes controls that aren't addressed by any Azure Policy
definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
overall compliance status. The associations between compliance domains, controls, and Azure Policy
definitions for this compliance standard may change over time. To view the change history, see the
GitHub Commit History .
ID : 1149.01c2System.9 - 01.c
Ownership : Customer
Expand table
Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply.
ID : 1154.01c3System.4 - 01.c
Ownership : Customer
Expand table
User Identification and Authentication
The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else.
ID : 11208.01q1Organizational.8 - 01.q
Ownership : Customer
Expand table
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.
ID : 11210.01q2Organizational.10 - 01.q
Ownership : Customer
Expand table
ID : 11211.01q2Organizational.11 - 01.q
Ownership : Customer
Expand table
ID : 0101.00a1Organizational.123-00.a
Ownership : Shared
Expand table
ID : 0102.00a2Organizational.123-00.a
Ownership : Shared
Expand table
ID : 0103.00a3Organizational.1234567-00.a
Ownership : Shared
Expand table
0104.02a1Organizational.12-02.a 02.01 Prior to Employment
ID : 0104.02a1Organizational.12-02.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define information security roles and responsibilities
CMA_C1565 - Define information security roles and responsibilities
Manual, Disabled
1.1.0
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Identify individuals with security roles and responsibilities
CMA_C1566 - Identify individuals with security roles and responsibilities
Manual, Disabled
1.1.1
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Provide periodic role-based security training
CMA_C1095 - Provide periodic role-based security training
Manual, Disabled
1.1.0
Provide role-based security training
CMA_C1094 - Provide role-based security training
Manual, Disabled
1.1.0
Provide security training before providing access
CMA_0418 - Provide security training before providing access
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
0105.02a2Organizational.1-02.a 02.01 Prior to Employment
ID : 0105.02a2Organizational.1-02.a
Ownership : Shared
Expand table
0106.02a2Organizational.23-02.a 02.01 Prior to Employment
ID : 0106.02a2Organizational.23-02.a
Ownership : Shared
Expand table
0107.02d1Organizational.1-02.d 02.03 During Employment
ID : 0107.02d1Organizational.1-02.d
Ownership : Shared
Expand table
0108.02d1Organizational.23-02.d 02.03 During Employment
ID : 0108.02d1Organizational.23-02.d
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Implement security testing, training, and monitoring plans
CMA_C1753 - Implement security testing, training, and monitoring plans
Manual, Disabled
1.1.0
Monitor security and privacy training completion
CMA_0379 - Monitor security and privacy training completion
Manual, Disabled
1.1.0
Provide periodic role-based security training
CMA_C1095 - Provide periodic role-based security training
Manual, Disabled
1.1.0
Provide security training before providing access
CMA_0418 - Provide security training before providing access
Manual, Disabled
1.1.0
Require developers to provide training
CMA_C1611 - Require developers to provide training
Manual, Disabled
1.1.0
Retain training records
CMA_0456 - Retain training records
Manual, Disabled
1.1.0
Review security testing, training, and monitoring plans
CMA_C1754 - Review security testing, training, and monitoring plans
Manual, Disabled
1.1.0
0109.02d1Organizational.4-02.d 02.03 During Employment
ID : 0109.02d1Organizational.4-02.d
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Implement formal sanctions process
CMA_0317 - Implement formal sanctions process
Manual, Disabled
1.1.0
Notify personnel upon sanctions
CMA_0380 - Notify personnel upon sanctions
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Provide periodic role-based security training
CMA_C1095 - Provide periodic role-based security training
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide role-based practical exercises
CMA_C1096 - Provide role-based practical exercises
Manual, Disabled
1.1.0
Provide role-based security training
CMA_C1094 - Provide role-based security training
Manual, Disabled
1.1.0
Provide role-based training on suspicious activities
CMA_C1097 - Provide role-based training on suspicious activities
Manual, Disabled
1.1.0
Provide security awareness training for insider threats
CMA_0417 - Provide security awareness training for insider threats
Manual, Disabled
1.1.0
Provide security training before providing access
CMA_0418 - Provide security training before providing access
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
0110.02d2Organizational.1-02.d 02.03 During Employment
ID : 0110.02d2Organizational.1-02.d
Ownership : Shared
Expand table
0111.02d2Organizational.2-02.d 02.03 During Employment
ID : 0111.02d2Organizational.2-02.d
Ownership : Shared
Expand table
01110.05a1Organizational.5-05.a 05.01 Internal Organization
ID : 01110.05a1Organizational.5-05.a
Ownership : Shared
Expand table
01111.05a2Organizational.5-05.a 05.01 Internal Organization
ID : 01111.05a2Organizational.5-05.a
Ownership : Shared
Expand table
0112.02d2Organizational.3-02.d 02.03 During Employment
ID : 0112.02d2Organizational.3-02.d
Ownership : Shared
Expand table
ID : 0113.04a1Organizational.123-04.a
Ownership : Shared
Expand table
ID : 0114.04b1Organizational.1-04.b
Ownership : Shared
Expand table
ID : 0115.04b2Organizational.123-04.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Review access control policies and procedures
CMA_0457 - Review access control policies and procedures
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Review and update contingency planning policies and procedures
CMA_C1243 - Review and update contingency planning policies and procedures
Manual, Disabled
1.1.0
Review and update identification and authentication policies and procedures
CMA_C1299 - Review and update identification and authentication policies and procedures
Manual, Disabled
1.1.0
Review and update incident response policies and procedures
CMA_C1352 - Review and update incident response policies and procedures
Manual, Disabled
1.1.0
Review and update information integrity policies and procedures
CMA_C1667 - Review and update information integrity policies and procedures
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Review and update personnel security policies and procedures
CMA_C1507 - Review and update personnel security policies and procedures
Manual, Disabled
1.1.0
Review and update physical and environmental policies and procedures
CMA_C1446 - Review and update physical and environmental policies and procedures
Manual, Disabled
1.1.0
Review and update planning policies and procedures
CMA_C1491 - Review and update planning policies and procedures
Manual, Disabled
1.1.0
Review and update risk assessment policies and procedures
CMA_C1537 - Review and update risk assessment policies and procedures
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Review and update system and services acquisition policies and procedures
CMA_C1560 - Review and update system and services acquisition policies and procedures
Manual, Disabled
1.1.0
Review and update system maintenance policies and procedures
CMA_C1395 - Review and update system maintenance policies and procedures
Manual, Disabled
1.1.0
Review security assessment and authorization policies and procedures
CMA_C1143 - Review security assessment and authorization policies and procedures
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
ID : 0116.04b3Organizational.1-04.b
Ownership : Shared
Expand table
0117.05a1Organizational.1-05.a 05.01 Internal Organization
ID : 0117.05a1Organizational.1-05.a
Ownership : Shared
Expand table
0118.05a1Organizational.2-05.a 05.01 Internal Organization
ID : 0118.05a1Organizational.2-05.a
Ownership : Shared
Expand table
0119.05a1Organizational.3-05.a 05.01 Internal Organization
ID : 0119.05a1Organizational.3-05.a
Ownership : Shared
Expand table
0120.05a1Organizational.4-05.a 05.01 Internal Organization
ID : 0120.05a1Organizational.4-05.a
Ownership : Shared
Expand table
0121.05a2Organizational.12-05.a 05.01 Internal Organization
ID : 0121.05a2Organizational.12-05.a
Ownership : Shared
Expand table
0122.05a2Organizational.3-05.a 05.01 Internal Organization
ID : 0122.05a2Organizational.3-05.a
Ownership : Shared
Expand table
0123.05a2Organizational.4-05.a 05.01 Internal Organization
ID : 0123.05a2Organizational.4-05.a
Ownership : Shared
Expand table
0124.05a3Organizational.1-05.a 05.01 Internal Organization
ID : 0124.05a3Organizational.1-05.a
Ownership : Shared
Expand table
0125.05a3Organizational.2-05.a 05.01 Internal Organization
ID : 0125.05a3Organizational.2-05.a
Ownership : Shared
Expand table
0135.02f1Organizational.56-02.f 02.03 During Employment
ID : 0135.02f1Organizational.56-02.f
Ownership : Shared
Expand table
0137.02a1Organizational.3-02.a 02.01 Prior to Employment
ID : 0137.02a1Organizational.3-02.a
Ownership : Shared
Expand table
ID : 0162.04b1Organizational.2-04.b
Ownership : Shared
Expand table
0165.05a3Organizational.3-05.a 05.01 Internal Organization
ID : 0165.05a3Organizational.3-05.a
Ownership : Shared
Expand table
0177.05h1Organizational.12-05.h 05.01 Internal Organization
ID : 0177.05h1Organizational.12-05.h
Ownership : Shared
Expand table
0178.05h1Organizational.3-05.h 05.01 Internal Organization
ID : 0178.05h1Organizational.3-05.h
Ownership : Shared
Expand table
0179.05h1Organizational.4-05.h 05.01 Internal Organization
ID : 0179.05h1Organizational.4-05.h
Ownership : Shared
Expand table
0180.05h2Organizational.1-05.h 05.01 Internal Organization
ID : 0180.05h2Organizational.1-05.h
Ownership : Shared
Expand table
0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0201.09j1Organizational.124-09.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Deploy default Microsoft IaaSAntimalware extension for Windows Server
This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.
deployIfNotExists
1.1.0
Detect network services that have not been authorized or approved
CMA_C1700 - Detect network services that have not been authorized or approved
Manual, Disabled
1.1.0
Document wireless access security controls
CMA_C1695 - Document wireless access security controls
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Microsoft Antimalware for Azure should be configured to automatically update protection signatures
This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures.
AuditIfNotExists, Disabled
1.0.0
Observe and report security weaknesses
CMA_0384 - Observe and report security weaknesses
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform threat modeling
CMA_0392 - Perform threat modeling
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0202.09j1Organizational.3-09.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adjust level of audit review, analysis, and reporting
CMA_C1123 - Adjust level of audit review, analysis, and reporting
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Govern and monitor audit processing activities
CMA_0289 - Govern and monitor audit processing activities
Manual, Disabled
1.1.0
Integrate Audit record analysis
CMA_C1120 - Integrate Audit record analysis
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Specify permitted actions associated with customer audit information
CMA_C1122 - Specify permitted actions associated with customer audit information
Manual, Disabled
1.1.0
0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0204.09j2Organizational.1-09.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Create alternative actions for identified anomalies
CMA_C1711 - Create alternative actions for identified anomalies
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Notify personnel of any failed security verification tests
CMA_C1710 - Notify personnel of any failed security verification tests
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform security function verification at a defined frequency
CMA_C1709 - Perform security function verification at a defined frequency
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
Verify security functions
CMA_C1708 - Verify security functions
Manual, Disabled
1.1.0
0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0205.09j2Organizational.2-09.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Alert personnel of information spillage
CMA_0007 - Alert personnel of information spillage
Manual, Disabled
1.1.0
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0206.09j2Organizational.34-09.j
Ownership : Shared
Expand table
0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0207.09j2Organizational.56-09.j
Ownership : Shared
Expand table
0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0208.09j2Organizational.7-09.j
Ownership : Shared
Expand table
0209.09m3Organizational.7-09.m 09.06 Network Security Management
ID : 0209.09m3Organizational.7-09.m
Ownership : Shared
Expand table
0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0214.09j1Organizational.6-09.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Limit privileges to make changes in production environment
CMA_C1206 - Limit privileges to make changes in production environment
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0215.09j2Organizational.8-09.j
Ownership : Shared
Expand table
0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0216.09j2Organizational.9-09.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0217.09j2Organizational.10-09.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Observe and report security weaknesses
CMA_0384 - Observe and report security weaknesses
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform threat modeling
CMA_0392 - Perform threat modeling
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review exploit protection events
CMA_0472 - Review exploit protection events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 0219.09j2Organizational.12-09.j
Ownership : Shared
Expand table
0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code
ID : 0225.09k1Organizational.1-09.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize, monitor, and control usage of mobile code technologies
CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies
Manual, Disabled
1.1.0
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Define acceptable and unacceptable mobile code technologies
CMA_C1651 - Define acceptable and unacceptable mobile code technologies
Manual, Disabled
1.1.0
Establish usage restrictions for mobile code technologies
CMA_C1652 - Establish usage restrictions for mobile code technologies
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code
ID : 0226.09k1Organizational.2-09.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize, monitor, and control usage of mobile code technologies
CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies
Manual, Disabled
1.1.0
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Define acceptable and unacceptable mobile code technologies
CMA_C1651 - Define acceptable and unacceptable mobile code technologies
Manual, Disabled
1.1.0
Establish usage restrictions for mobile code technologies
CMA_C1652 - Establish usage restrictions for mobile code technologies
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code
ID : 0227.09k2Organizational.12-09.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Authorize, monitor, and control usage of mobile code technologies
CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies
Manual, Disabled
1.1.0
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Define acceptable and unacceptable mobile code technologies
CMA_C1651 - Define acceptable and unacceptable mobile code technologies
Manual, Disabled
1.1.0
Define mobile device requirements
CMA_0122 - Define mobile device requirements
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Establish usage restrictions for mobile code technologies
CMA_C1652 - Establish usage restrictions for mobile code technologies
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code
ID : 0228.09k2Organizational.3-09.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Govern compliance of cloud service providers
CMA_0290 - Govern compliance of cloud service providers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
ID : 0301.09o1Organizational.123-09.o
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Control maintenance and repair activities
CMA_0080 - Control maintenance and repair activities
Manual, Disabled
1.1.0
Control use of portable storage devices
CMA_0083 - Control use of portable storage devices
Manual, Disabled
1.1.0
Define mobile device requirements
CMA_0122 - Define mobile device requirements
Manual, Disabled
1.1.0
Document and implement wireless access guidelines
CMA_0190 - Document and implement wireless access guidelines
Manual, Disabled
1.1.0
Employ a media sanitization mechanism
CMA_0208 - Employ a media sanitization mechanism
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Manage nonlocal maintenance and diagnostic activities
CMA_0364 - Manage nonlocal maintenance and diagnostic activities
Manual, Disabled
1.1.0
Manage the transportation of assets
CMA_0370 - Manage the transportation of assets
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect wireless access
CMA_0411 - Protect wireless access
Manual, Disabled
1.1.0
Restrict media use
CMA_0450 - Restrict media use
Manual, Disabled
1.1.0
Review and update media protection policies and procedures
CMA_C1427 - Review and update media protection policies and procedures
Manual, Disabled
1.1.0
Transparent Data Encryption on SQL databases should be enabled
Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements
AuditIfNotExists, Disabled
2.0.0
ID : 0302.09o2Organizational.1-09.o
Ownership : Shared
Expand table
ID : 0303.09o2Organizational.2-09.o
Ownership : Shared
Expand table
ID : 0304.09o3Organizational.1-09.o
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Control use of portable storage devices
CMA_0083 - Control use of portable storage devices
Manual, Disabled
1.1.0
Employ a media sanitization mechanism
CMA_0208 - Employ a media sanitization mechanism
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Require encryption on Data Lake Store accounts
This policy ensures encryption is enabled on all Data Lake Store accounts
deny
1.0.0
Restrict media use
CMA_0450 - Restrict media use
Manual, Disabled
1.1.0
SQL managed instances should use customer-managed keys to encrypt data at rest
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.
Audit, Deny, Disabled
2.0.0
SQL servers should use customer-managed keys to encrypt data at rest
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.
Audit, Deny, Disabled
2.0.1
ID : 0305.09q1Organizational.12-09.q
Ownership : Shared
Expand table
ID : 0306.09q1Organizational.3-09.q
Ownership : Shared
Expand table
ID : 0307.09q2Organizational.12-09.q
Ownership : Shared
Expand table
ID : 0308.09q3Organizational.1-09.q
Ownership : Shared
Expand table
ID : 0314.09q3Organizational.2-09.q
Ownership : Shared
Expand table
04 Mobile Device Security
0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking
ID : 0401.01x1System.124579-01.x
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize, monitor, and control usage of mobile code technologies
CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies
Manual, Disabled
1.1.0
Define acceptable and unacceptable mobile code technologies
CMA_C1651 - Define acceptable and unacceptable mobile code technologies
Manual, Disabled
1.1.0
Define mobile device requirements
CMA_0122 - Define mobile device requirements
Manual, Disabled
1.1.0
Establish usage restrictions for mobile code technologies
CMA_C1652 - Establish usage restrictions for mobile code technologies
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Prohibit remote activation of collaborative computing devices
CMA_C1648 - Prohibit remote activation of collaborative computing devices
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking
ID : 0403.01x1System.8-01.x
Ownership : Shared
Expand table
0405.01y1Organizational.12345678-01.y 01.07 Mobile Computing and Teleworking
ID : 0405.01y1Organizational.12345678-01.y
Ownership : Shared
Expand table
0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking
ID : 0407.01y2Organizational.1-01.y
Ownership : Shared
Expand table
0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking
ID : 0408.01y3Organizational.12-01.y
Ownership : Shared
Expand table
0409.01y3Organizational.3-01.y 01.07 Mobile Computing and Teleworking
ID : 0409.01y3Organizational.3-01.y
Ownership : Shared
Expand table
0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking
ID : 0410.01x1System.12-01.xMobileComputingandCommunications
Ownership : Shared
Expand table
0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking
ID : 0415.01y1Organizational.10-01.y
Ownership : Shared
Expand table
0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking
ID : 0416.01y3Organizational.4-01.y
Ownership : Shared
Expand table
0417.01y3Organizational.5-01.y 01.07 Mobile Computing and Teleworking
ID : 0417.01y3Organizational.5-01.y
Ownership : Shared
Expand table
0425.01x1System.13-01.x 01.07 Mobile Computing and Teleworking
ID : 0425.01x1System.13-01.x
Ownership : Shared
Expand table
0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking
ID : 0426.01x2System.1-01.x
Ownership : Shared
Expand table
0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking
ID : 0427.01x2System.2-01.x
Ownership : Shared
Expand table
0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking
ID : 0428.01x2System.3-01.x
Ownership : Shared
Expand table
0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking
ID : 0429.01x1System.14-01.x
Ownership : Shared
Expand table
ID : 1401.05i1Organizational.1239 - 05.i
Ownership : Customer
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Remote access connections between the organization and external parties are encrypted.
ID : 1402.05i1Organizational.45 - 05.i
Ownership : Customer
Expand table
Access granted to external parties is limited to the minimum necessary and granted only for the duration required.
ID : 1403.05i1Organizational.67 - 05.i
Ownership : Customer
Expand table
ID : 1418.05i1Organizational.8 - 05.i
Ownership : Customer
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Enforce SSL connection should be enabled for MySQL database servers
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
0504.09m2Organizational.5-09.m 09.06 Network Security Management
ID : 0504.09m2Organizational.5-09.m
Ownership : Shared
Expand table
0505.09m2Organizational.3-09.m 09.06 Network Security Management
ID : 0505.09m2Organizational.3-09.m
Ownership : Shared
Expand table
06 Configuration Management
0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 0601.06g1Organizational.124-06.g
Ownership : Shared
Expand table
0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 0602.06g1Organizational.3-06.g
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct Risk Assessment
CMA_C1543 - Conduct Risk Assessment
Manual, Disabled
1.1.0
Deliver security assessment results
CMA_C1147 - Deliver security assessment results
Manual, Disabled
1.1.0
Develop configuration management plan
CMA_C1232 - Develop configuration management plan
Manual, Disabled
1.1.0
Develop POA&M
CMA_C1156 - Develop POA&M
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Produce Security Assessment report
CMA_C1146 - Produce Security Assessment report
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Update POA&M items
CMA_C1157 - Update POA&M items
Manual, Disabled
1.1.0
0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 0603.06g2Organizational.1-06.g
Ownership : Shared
Expand table
0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 0604.06g2Organizational.2-06.g
Ownership : Shared
Expand table
0605.10h1System.12-10.h 10.04 Security of System Files
ID : 0605.10h1System.12-10.h
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Limit privileges to make changes in production environment
CMA_C1206 - Limit privileges to make changes in production environment
Manual, Disabled
1.1.0
Review and reevaluate privileges
CMA_C1207 - Review and reevaluate privileges
Manual, Disabled
1.1.0
Vulnerabilities in security configuration on your machines should be remediated
Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations
AuditIfNotExists, Disabled
3.1.0
Windows machines should meet requirements for 'Security Options - Audit'
Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
Windows machines should meet requirements for 'System Audit Policies - Account Management'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0613.06h1Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 0613.06h1Organizational.12-06.h
Ownership : Shared
Expand table
0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 0614.06h2Organizational.12-06.h
Ownership : Shared
Expand table
0615.06h2Organizational.3-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 0615.06h2Organizational.3-06.h
Ownership : Shared
Expand table
0618.09b1System.1-09.b 09.01 Documented Operating Procedures
ID : 0618.09b1System.1-09.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Automate approval request for proposed changes
CMA_C1192 - Automate approval request for proposed changes
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Govern compliance of cloud service providers
CMA_0290 - Govern compliance of cloud service providers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
Retain previous versions of baseline configs
CMA_C1181 - Retain previous versions of baseline configs
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
0626.10h1System.3-10.h 10.04 Security of System Files
ID : 0626.10h1System.3-10.h
Ownership : Shared
Expand table
0627.10h1System.45-10.h 10.04 Security of System Files
ID : 0627.10h1System.45-10.h
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Ensure security safeguards not needed when the individuals return
CMA_C1183 - Ensure security safeguards not needed when the individuals return
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Not allow for information systems to accompany with individuals
CMA_C1182 - Not allow for information systems to accompany with individuals
Manual, Disabled
1.1.0
Retain previous versions of baseline configs
CMA_C1181 - Retain previous versions of baseline configs
Manual, Disabled
1.1.0
Verify software, firmware and information integrity
CMA_0542 - Verify software, firmware and information integrity
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
0628.10h1System.6-10.h 10.04 Security of System Files
ID : 0628.10h1System.6-10.h
Ownership : Shared
Expand table
0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes
ID : 0635.10k1Organizational.12-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Incorporate flaw remediation into configuration management
CMA_C1671 - Incorporate flaw remediation into configuration management
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Review development process, standards and tools
CMA_C1610 - Review development process, standards and tools
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes
ID : 0636.10k2Organizational.1-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Create configuration plan protection
CMA_C1233 - Create configuration plan protection
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Develop configuration item identification plan
CMA_C1231 - Develop configuration item identification plan
Manual, Disabled
1.1.0
Develop configuration management plan
CMA_C1232 - Develop configuration management plan
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Review and update configuration management policies and procedures
CMA_C1175 - Review and update configuration management policies and procedures
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes
ID : 0637.10k2Organizational.2-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Create configuration plan protection
CMA_C1233 - Create configuration plan protection
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Develop configuration item identification plan
CMA_C1231 - Develop configuration item identification plan
Manual, Disabled
1.1.0
Develop configuration management plan
CMA_C1232 - Develop configuration management plan
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes
ID : 0638.10k2Organizational.34569-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to document implemented changes
CMA_C1195 - Automate process to document implemented changes
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes
ID : 0639.10k2Organizational.78-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes
ID : 0640.10k2Organizational.1012-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address coding vulnerabilities
CMA_0003 - Address coding vulnerabilities
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Develop and document application security requirements
CMA_0148 - Develop and document application security requirements
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Establish a secure software development program
CMA_0259 - Establish a secure software development program
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
Require developers to produce evidence of security assessment plan execution
CMA_C1602 - Require developers to produce evidence of security assessment plan execution
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes
ID : 0641.10k2Organizational.11-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Review development process, standards and tools
CMA_C1610 - Review development process, standards and tools
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes
ID : 0642.10k3Organizational.12-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes
ID : 0643.10k3Organizational.3-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Retain previous versions of baseline configs
CMA_C1181 - Retain previous versions of baseline configs
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes
ID : 0644.10k3Organizational.4-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assign account managers
CMA_0015 - Assign account managers
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Define and enforce conditions for shared and group accounts
CMA_0117 - Define and enforce conditions for shared and group accounts
Manual, Disabled
1.1.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Develop configuration item identification plan
CMA_C1231 - Develop configuration item identification plan
Manual, Disabled
1.1.0
Develop configuration management plan
CMA_C1232 - Develop configuration management plan
Manual, Disabled
1.1.0
Document access privileges
CMA_0186 - Document access privileges
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish conditions for role membership
CMA_0269 - Establish conditions for role membership
Manual, Disabled
1.1.0
Govern compliance of cloud service providers
CMA_0290 - Govern compliance of cloud service providers
Manual, Disabled
1.1.0
Monitor account activity
CMA_0377 - Monitor account activity
Manual, Disabled
1.1.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Reissue authenticators for changed groups and accounts
CMA_0426 - Reissue authenticators for changed groups and accounts
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
ID : 0662.09sCSPOrganizational.2-09.s
Ownership : Shared
Expand table
0663.10h1System.7-10.h 10.04 Security of System Files
ID : 0663.10h1System.7-10.h
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Detect network services that have not been authorized or approved
CMA_C1700 - Detect network services that have not been authorized or approved
Manual, Disabled
1.1.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Document wireless access security controls
CMA_C1695 - Document wireless access security controls
Manual, Disabled
1.1.0
Employ automatic shutdown/restart when violations are detected
CMA_C1715 - Employ automatic shutdown/restart when violations are detected
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
Verify software, firmware and information integrity
CMA_0542 - Verify software, firmware and information integrity
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
0669.10hCSPSystem.1-10.h 10.04 Security of System Files
ID : 0669.10hCSPSystem.1-10.h
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address coding vulnerabilities
CMA_0003 - Address coding vulnerabilities
Manual, Disabled
1.1.0
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Develop and document application security requirements
CMA_0148 - Develop and document application security requirements
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Develop configuration item identification plan
CMA_C1231 - Develop configuration item identification plan
Manual, Disabled
1.1.0
Develop configuration management plan
CMA_C1232 - Develop configuration management plan
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish a secure software development program
CMA_0259 - Establish a secure software development program
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
0670.10hCSPSystem.2-10.h 10.04 Security of System Files
ID : 0670.10hCSPSystem.2-10.h
Ownership : Shared
Expand table
0671.10k1System.1-10.k 10.05 Security In Development and Support Processes
ID : 0671.10k1System.1-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address coding vulnerabilities
CMA_0003 - Address coding vulnerabilities
Manual, Disabled
1.1.0
Automate implementation of approved change notifications
CMA_C1196 - Automate implementation of approved change notifications
Manual, Disabled
1.1.0
Automate process to highlight unreviewed change proposals
CMA_C1193 - Automate process to highlight unreviewed change proposals
Manual, Disabled
1.1.0
Automate process to prohibit implementation of unapproved changes
CMA_C1194 - Automate process to prohibit implementation of unapproved changes
Manual, Disabled
1.1.0
Automate proposed documented changes
CMA_C1191 - Automate proposed documented changes
Manual, Disabled
1.1.0
Develop and document application security requirements
CMA_0148 - Develop and document application security requirements
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a secure software development program
CMA_0259 - Establish a secure software development program
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Remediate information system flaws
CMA_0427 - Remediate information system flaws
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to implement only approved changes
CMA_C1596 - Require developers to implement only approved changes
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
0672.10k3System.5-10.k 10.05 Security In Development and Support Processes
ID : 0672.10k3System.5-10.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Employ automatic shutdown/restart when violations are detected
CMA_C1715 - Employ automatic shutdown/restart when violations are detected
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Prohibit binary/machine-executable code
CMA_C1717 - Prohibit binary/machine-executable code
Manual, Disabled
1.1.0
Verify software, firmware and information integrity
CMA_0542 - Verify software, firmware and information integrity
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 068.06g2Organizational.34-06.g
Ownership : Shared
Expand table
069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance
ID : 069.06g2Organizational.56-06.g
Ownership : Shared
Expand table
07 Vulnerability Management
0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets
ID : 0701.07a1Organizational.12-07.a
Ownership : Shared
Expand table
0702.07a1Organizational.3-07.a 07.01 Responsibility for Assets
ID : 0702.07a1Organizational.3-07.a
Ownership : Shared
Expand table
0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets
ID : 0703.07a2Organizational.1-07.a
Ownership : Shared
Expand table
0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets
ID : 0704.07a3Organizational.12-07.a
Ownership : Shared
Expand table
0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets
ID : 0705.07a3Organizational.3-07.a
Ownership : Shared
Expand table
0706.10b1System.12-10.b 10.02 Correct Processing in Applications
ID : 0706.10b1System.12-10.b
Ownership : Shared
Expand table
0708.10b2System.2-10.b 10.02 Correct Processing in Applications
ID : 0708.10b2System.2-10.b
Ownership : Shared
Expand table
0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management
ID : 0709.10m1Organizational.1-10.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines
Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.
AuditIfNotExists, Disabled
3.0.0
Assess Security Controls
CMA_C1145 - Assess Security Controls
Manual, Disabled
1.1.0
Deliver security assessment results
CMA_C1147 - Deliver security assessment results
Manual, Disabled
1.1.0
Develop security assessment plan
CMA_C1144 - Develop security assessment plan
Manual, Disabled
1.1.0
Produce Security Assessment report
CMA_C1146 - Produce Security Assessment report
Manual, Disabled
1.1.0
Select additional testing for security control assessments
CMA_C1149 - Select additional testing for security control assessments
Manual, Disabled
1.1.0
SQL databases should have vulnerability findings resolved
Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.
AuditIfNotExists, Disabled
4.1.0
Vulnerabilities in security configuration on your machines should be remediated
Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations
AuditIfNotExists, Disabled
3.1.0
Vulnerability assessment should be enabled on SQL Managed Instance
Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
AuditIfNotExists, Disabled
1.0.1
Vulnerability assessment should be enabled on your SQL servers
Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
AuditIfNotExists, Disabled
3.0.0
Windows machines should meet requirements for 'Security Options - Microsoft Network Server'
Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management
ID : 0710.10m2Organizational.1-10.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Govern compliance of cloud service providers
CMA_0290 - Govern compliance of cloud service providers
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance
Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
AuditIfNotExists, Disabled
1.0.1
0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management
ID : 0711.10m2Organizational.23-10.m
Ownership : Shared
Expand table
0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management
ID : 0712.10m2Organizational.4-10.m
Ownership : Shared
Expand table
0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management
ID : 0713.10m2Organizational.5-10.m
Ownership : Shared
Expand table
0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management
ID : 0714.10m2Organizational.7-10.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Implement privileged access for executing vulnerability scanning activities
CMA_C1555 - Implement privileged access for executing vulnerability scanning activities
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Observe and report security weaknesses
CMA_0384 - Observe and report security weaknesses
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform threat modeling
CMA_0392 - Perform threat modeling
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review exploit protection events
CMA_0472 - Review exploit protection events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management
ID : 0716.10m3Organizational.1-10.m
Ownership : Shared
Expand table
0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management
ID : 0717.10m3Organizational.2-10.m
Ownership : Shared
Expand table
0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management
ID : 0718.10m3Organizational.34-10.m
Ownership : Shared
Expand table
0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management
ID : 0719.10m3Organizational.5-10.m
Ownership : Shared
Expand table
0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets
ID : 0720.07a1Organizational.4-07.a
Ownership : Shared
Expand table
0722.07a1Organizational.67-07.a 07.01 Responsibility for Assets
ID : 0722.07a1Organizational.67-07.a
Ownership : Shared
Expand table
0723.07a1Organizational.8-07.a 07.01 Responsibility for Assets
ID : 0723.07a1Organizational.8-07.a
Ownership : Shared
Expand table
0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets
ID : 0724.07a3Organizational.4-07.a
Ownership : Shared
Expand table
0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets
ID : 0725.07a3Organizational.5-07.a
Ownership : Shared
Expand table
0733.10b2System.4-10.b 10.02 Correct Processing in Applications
ID : 0733.10b2System.4-10.b
Ownership : Shared
Expand table
0786.10m2Organizational.13-10.m 10.06 Technical Vulnerability Management
ID : 0786.10m2Organizational.13-10.m
Ownership : Shared
Expand table
0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management
ID : 0787.10m2Organizational.14-10.m
Ownership : Shared
Expand table
0788.10m3Organizational.20-10.m 10.06 Technical Vulnerability Management
ID : 0788.10m3Organizational.20-10.m
Ownership : Shared
Expand table
0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management
ID : 0790.10m3Organizational.22-10.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Observe and report security weaknesses
CMA_0384 - Observe and report security weaknesses
Manual, Disabled
1.1.0
Perform threat modeling
CMA_0392 - Perform threat modeling
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review exploit protection events
CMA_0472 - Review exploit protection events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications
ID : 0791.10b2Organizational.4-10.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address coding vulnerabilities
CMA_0003 - Address coding vulnerabilities
Manual, Disabled
1.1.0
Develop and document application security requirements
CMA_0148 - Develop and document application security requirements
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Establish a secure software development program
CMA_0259 - Establish a secure software development program
Manual, Disabled
1.1.0
Require developers to document approved changes and potential impact
CMA_C1597 - Require developers to document approved changes and potential impact
Manual, Disabled
1.1.0
Require developers to implement only approved changes
CMA_C1596 - Require developers to implement only approved changes
Manual, Disabled
1.1.0
Require developers to manage change integrity
CMA_C1595 - Require developers to manage change integrity
Manual, Disabled
1.1.0
Verify software, firmware and information integrity
CMA_0542 - Verify software, firmware and information integrity
Manual, Disabled
1.1.0
0805.01m1Organizational.12-01.m 01.04 Network Access Control
ID : 0805.01m1Organizational.12-01.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint
This policy audits any Container Registry not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0-preview
App Service apps should use a virtual network service endpoint
Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint .
AuditIfNotExists, Disabled
2.0.1
Cosmos DB should use a virtual network service endpoint
This policy audits any Cosmos DB not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
Event Hub should use a virtual network service endpoint
This policy audits any Event Hub not configured to use a virtual network service endpoint.
AuditIfNotExists, Disabled
1.0.0
Gateway subnets should not be configured with a network security group
This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.
deny
1.0.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Internet-facing virtual machines should be protected with network security groups
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc
AuditIfNotExists, Disabled
3.0.0
Key Vault should use a virtual network service endpoint
This policy audits any Key Vault not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
SQL Server should use a virtual network service endpoint
This policy audits any SQL Server not configured to use a virtual network service endpoint.
AuditIfNotExists, Disabled
1.0.0
Storage Accounts should use a virtual network service endpoint
This policy audits any Storage Account not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
Subnets should be associated with a Network Security Group
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
AuditIfNotExists, Disabled
3.0.0
Virtual machines should be connected to an approved virtual network
This policy audits any virtual machine connected to a virtual network that is not approved.
Audit, Deny, Disabled
1.0.0
0806.01m2Organizational.12356-01.m 01.04 Network Access Control
ID : 0806.01m2Organizational.12356-01.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint
This policy audits any Container Registry not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0-preview
App Service apps should use a virtual network service endpoint
Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint .
AuditIfNotExists, Disabled
2.0.1
Cosmos DB should use a virtual network service endpoint
This policy audits any Cosmos DB not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
Event Hub should use a virtual network service endpoint
This policy audits any Event Hub not configured to use a virtual network service endpoint.
AuditIfNotExists, Disabled
1.0.0
Gateway subnets should not be configured with a network security group
This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.
deny
1.0.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Internet-facing virtual machines should be protected with network security groups
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc
AuditIfNotExists, Disabled
3.0.0
Isolate SecurID systems, Security Incident Management systems
CMA_C1636 - Isolate SecurID systems, Security Incident Management systems
Manual, Disabled
1.1.0
Key Vault should use a virtual network service endpoint
This policy audits any Key Vault not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
SQL Server should use a virtual network service endpoint
This policy audits any SQL Server not configured to use a virtual network service endpoint.
AuditIfNotExists, Disabled
1.0.0
Storage Accounts should use a virtual network service endpoint
This policy audits any Storage Account not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
Subnets should be associated with a Network Security Group
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
AuditIfNotExists, Disabled
3.0.0
Virtual machines should be connected to an approved virtual network
This policy audits any virtual machine connected to a virtual network that is not approved.
Audit, Deny, Disabled
1.0.0
0808.10b2System.3-10.b 10.02 Correct Processing in Applications
ID : 0808.10b2System.3-10.b
Ownership : Shared
Expand table
0809.01n2Organizational.1234-01.n 01.04 Network Access Control
ID : 0809.01n2Organizational.1234-01.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
App Service apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Enforce SSL connection should be enabled for MySQL database servers
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Function apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Implement managed interface for each external service
CMA_C1626 - Implement managed interface for each external service
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Internet-facing virtual machines should be protected with network security groups
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc
AuditIfNotExists, Disabled
3.0.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Subnets should be associated with a Network Security Group
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
AuditIfNotExists, Disabled
3.0.0
Virtual machines should be connected to an approved virtual network
This policy audits any virtual machine connected to a virtual network that is not approved.
Audit, Deny, Disabled
1.0.0
0810.01n2Organizational.5-01.n 01.04 Network Access Control
ID : 0810.01n2Organizational.5-01.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
App Service apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Enforce SSL connection should be enabled for MySQL database servers
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Function apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Internet-facing virtual machines should be protected with network security groups
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc
AuditIfNotExists, Disabled
3.0.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Subnets should be associated with a Network Security Group
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
AuditIfNotExists, Disabled
3.0.0
Virtual machines should be connected to an approved virtual network
This policy audits any virtual machine connected to a virtual network that is not approved.
Audit, Deny, Disabled
1.0.0
08101.09m2Organizational.14-09.m 09.06 Network Security Management
ID : 08101.09m2Organizational.14-09.m
Ownership : Shared
Expand table
08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management
ID : 08102.09nCSPOrganizational.1-09.n
Ownership : Shared
Expand table
0811.01n2Organizational.6-01.n 01.04 Network Access Control
ID : 0811.01n2Organizational.6-01.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
App Service apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Determine information protection needs
CMA_C1750 - Determine information protection needs
Manual, Disabled
1.1.0
Employ flow control mechanisms of encrypted information
CMA_0211 - Employ flow control mechanisms of encrypted information
Manual, Disabled
1.1.0
Enforce SSL connection should be enabled for MySQL database servers
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Function apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement managed interface for each external service
CMA_C1626 - Implement managed interface for each external service
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Information flow control using security policy filters
CMA_C1029 - Information flow control using security policy filters
Manual, Disabled
1.1.0
Internet-facing virtual machines should be protected with network security groups
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc
AuditIfNotExists, Disabled
3.0.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Subnets should be associated with a Network Security Group
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
AuditIfNotExists, Disabled
3.0.0
Virtual machines should be connected to an approved virtual network
This policy audits any virtual machine connected to a virtual network that is not approved.
Audit, Deny, Disabled
1.0.0
0812.01n2Organizational.8-01.n 01.04 Network Access Control
ID : 0812.01n2Organizational.8-01.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
App Service apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Enforce SSL connection should be enabled for MySQL database servers
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Function apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Internet-facing virtual machines should be protected with network security groups
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc
AuditIfNotExists, Disabled
3.0.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Prevent split tunneling for remote devices
CMA_C1632 - Prevent split tunneling for remote devices
Manual, Disabled
1.1.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Subnets should be associated with a Network Security Group
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
AuditIfNotExists, Disabled
3.0.0
Virtual machines should be connected to an approved virtual network
This policy audits any virtual machine connected to a virtual network that is not approved.
Audit, Deny, Disabled
1.0.0
0814.01n1Organizational.12-01.n 01.04 Network Access Control
ID : 0814.01n1Organizational.12-01.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
App Service apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Enforce SSL connection should be enabled for MySQL database servers
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Function apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Internet-facing virtual machines should be protected with network security groups
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc
AuditIfNotExists, Disabled
3.0.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Subnets should be associated with a Network Security Group
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
AuditIfNotExists, Disabled
3.0.0
Virtual machines should be connected to an approved virtual network
This policy audits any virtual machine connected to a virtual network that is not approved.
Audit, Deny, Disabled
1.0.0
0815.01o2Organizational.123-01.o 01.04 Network Access Control
ID : 0815.01o2Organizational.123-01.o
Ownership : Shared
Expand table
ID : 0816.01w1System.1-01.w
Ownership : Shared
Expand table
ID : 0817.01w2System.123-01.w
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Employ boundary protection to isolate information systems
CMA_C1639 - Employ boundary protection to isolate information systems
Manual, Disabled
1.1.0
Ensure system capable of dynamic isolation of resources
CMA_C1638 - Ensure system capable of dynamic isolation of resources
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Isolate SecurID systems, Security Incident Management systems
CMA_C1636 - Isolate SecurID systems, Security Incident Management systems
Manual, Disabled
1.1.0
Maintain separate execution domains for running processes
CMA_C1665 - Maintain separate execution domains for running processes
Manual, Disabled
1.1.0
Separate user and information system management functionality
CMA_0493 - Separate user and information system management functionality
Manual, Disabled
1.1.0
Use dedicated machines for administrative tasks
CMA_0527 - Use dedicated machines for administrative tasks
Manual, Disabled
1.1.0
ID : 0818.01w3System.12-01.w
Ownership : Shared
Expand table
0819.09m1Organizational.23-09.m 09.06 Network Security Management
ID : 0819.09m1Organizational.23-09.m
Ownership : Shared
Expand table
0821.09m2Organizational.2-09.m 09.06 Network Security Management
ID : 0821.09m2Organizational.2-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Create configuration plan protection
CMA_C1233 - Create configuration plan protection
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Develop configuration item identification plan
CMA_C1231 - Develop configuration item identification plan
Manual, Disabled
1.1.0
Develop configuration management plan
CMA_C1232 - Develop configuration management plan
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Review changes for any unauthorized changes
CMA_C1204 - Review changes for any unauthorized changes
Manual, Disabled
1.1.0
0822.09m2Organizational.4-09.m 09.06 Network Security Management
ID : 0822.09m2Organizational.4-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Employ flow control mechanisms of encrypted information
CMA_0211 - Employ flow control mechanisms of encrypted information
Manual, Disabled
1.1.0
Implement managed interface for each external service
CMA_C1626 - Implement managed interface for each external service
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Route traffic through authenticated proxy network
CMA_C1633 - Route traffic through authenticated proxy network
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
0824.09m3Organizational.1-09.m 09.06 Network Security Management
ID : 0824.09m3Organizational.1-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct Risk Assessment
CMA_C1543 - Conduct Risk Assessment
Manual, Disabled
1.1.0
Conduct risk assessment and distribute its results
CMA_C1544 - Conduct risk assessment and distribute its results
Manual, Disabled
1.1.0
Conduct risk assessment and document its results
CMA_C1542 - Conduct risk assessment and document its results
Manual, Disabled
1.1.0
Configure detection whitelist
CMA_0068 - Configure detection whitelist
Manual, Disabled
1.1.0
Establish an alternate processing site
CMA_0262 - Establish an alternate processing site
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Plan for resumption of essential business functions
CMA_C1253 - Plan for resumption of essential business functions
Manual, Disabled
1.1.0
Separately store backup information
CMA_C1293 - Separately store backup information
Manual, Disabled
1.1.0
Turn on sensors for endpoint security solution
CMA_0514 - Turn on sensors for endpoint security solution
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
0825.09m3Organizational.23-09.m 09.06 Network Security Management
ID : 0825.09m3Organizational.23-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Detect network services that have not been authorized or approved
CMA_C1700 - Detect network services that have not been authorized or approved
Manual, Disabled
1.1.0
Document wireless access security controls
CMA_C1695 - Document wireless access security controls
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Obtain legal opinion for monitoring system activities
CMA_C1688 - Obtain legal opinion for monitoring system activities
Manual, Disabled
1.1.0
Provide monitoring information as needed
CMA_C1689 - Provide monitoring information as needed
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
0826.09m3Organizational.45-09.m 09.06 Network Security Management
ID : 0826.09m3Organizational.45-09.m
Ownership : Shared
Expand table
0828.09m3Organizational.8-09.m 09.06 Network Security Management
ID : 0828.09m3Organizational.8-09.m
Ownership : Shared
Expand table
0829.09m3Organizational.911-09.m 09.06 Network Security Management
ID : 0829.09m3Organizational.911-09.m
Ownership : Shared
Expand table
0830.09m3Organizational.1012-09.m 09.06 Network Security Management
ID : 0830.09m3Organizational.1012-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Enforce user uniqueness
CMA_0250 - Enforce user uniqueness
Manual, Disabled
1.1.0
Implement managed interface for each external service
CMA_C1626 - Implement managed interface for each external service
Manual, Disabled
1.1.0
Implement system boundary protection
CMA_0328 - Implement system boundary protection
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Support personal verification credentials issued by legal authorities
CMA_0507 - Support personal verification credentials issued by legal authorities
Manual, Disabled
1.1.0
0832.09m3Organizational.14-09.m 09.06 Network Security Management
ID : 0832.09m3Organizational.14-09.m
Ownership : Shared
Expand table
0835.09n1Organizational.1-09.n 09.06 Network Security Management
ID : 0835.09n1Organizational.1-09.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines
Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.
AuditIfNotExists, Disabled
1.0.2-preview
Configure detection whitelist
CMA_0068 - Configure detection whitelist
Manual, Disabled
1.1.0
Require interconnection security agreements
CMA_C1151 - Require interconnection security agreements
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Turn on sensors for endpoint security solution
CMA_0514 - Turn on sensors for endpoint security solution
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources
Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Audit, Deny, Disabled
1.0.0
0836.09.n2Organizational.1-09.n 09.06 Network Security Management
ID : 0836.09.n2Organizational.1-09.n
Ownership : Shared
Expand table
0837.09.n2Organizational.2-09.n 09.06 Network Security Management
ID : 0837.09.n2Organizational.2-09.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Ensure external providers consistently meet interests of the customers
CMA_C1592 - Ensure external providers consistently meet interests of the customers
Manual, Disabled
1.1.0
Identify external service providers
CMA_C1591 - Identify external service providers
Manual, Disabled
1.1.0
Network Watcher should be enabled
Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.
AuditIfNotExists, Disabled
3.0.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Require interconnection security agreements
CMA_C1151 - Require interconnection security agreements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Update interconnection security agreements
CMA_0519 - Update interconnection security agreements
Manual, Disabled
1.1.0
0850.01o1Organizational.12-01.o 01.04 Network Access Control
ID : 0850.01o1Organizational.12-01.o
Ownership : Shared
Expand table
0858.09m1Organizational.4-09.m 09.06 Network Security Management
ID : 0858.09m1Organizational.4-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine
Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.
AuditIfNotExists, Disabled
3.0.0
Document and implement wireless access guidelines
CMA_0190 - Document and implement wireless access guidelines
Manual, Disabled
1.1.0
Document wireless access security controls
CMA_C1695 - Document wireless access security controls
Manual, Disabled
1.1.0
Identify and authenticate network devices
CMA_0296 - Identify and authenticate network devices
Manual, Disabled
1.1.0
Management ports of virtual machines should be protected with just-in-time network access control
Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations
AuditIfNotExists, Disabled
3.0.0
Protect wireless access
CMA_0411 - Protect wireless access
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'Windows Firewall Properties'
Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0859.09m1Organizational.78-09.m 09.06 Network Security Management
ID : 0859.09m1Organizational.78-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Define access authorizations to support separation of duties
CMA_0116 - Define access authorizations to support separation of duties
Manual, Disabled
1.1.0
Document separation of duties
CMA_0204 - Document separation of duties
Manual, Disabled
1.1.0
Employ flow control mechanisms of encrypted information
CMA_0211 - Employ flow control mechanisms of encrypted information
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Information flow control using security policy filters
CMA_C1029 - Information flow control using security policy filters
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Separate duties of individuals
CMA_0492 - Separate duties of individuals
Manual, Disabled
1.1.0
0860.09m1Organizational.9-09.m 09.06 Network Security Management
ID : 0860.09m1Organizational.9-09.m
Ownership : Shared
Expand table
0861.09m2Organizational.67-09.m 09.06 Network Security Management
ID : 0861.09m2Organizational.67-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should use a virtual network service endpoint
Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint .
AuditIfNotExists, Disabled
2.0.1
Document and implement wireless access guidelines
CMA_0190 - Document and implement wireless access guidelines
Manual, Disabled
1.1.0
Document wireless access security controls
CMA_C1695 - Document wireless access security controls
Manual, Disabled
1.1.0
Identify and authenticate network devices
CMA_0296 - Identify and authenticate network devices
Manual, Disabled
1.1.0
Identify and authenticate non-organizational users
CMA_C1346 - Identify and authenticate non-organizational users
Manual, Disabled
1.1.0
Protect wireless access
CMA_0411 - Protect wireless access
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'Security Options - Network Access'
Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
0862.09m2Organizational.8-09.m 09.06 Network Security Management
ID : 0862.09m2Organizational.8-09.m
Ownership : Shared
Expand table
0863.09m2Organizational.910-09.m 09.06 Network Security Management
ID : 0863.09m2Organizational.910-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Check for privacy and security compliance before establishing internal connections
CMA_0053 - Check for privacy and security compliance before establishing internal connections
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Develop a concept of operations (CONOPS)
CMA_0141 - Develop a concept of operations (CONOPS)
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Develop configuration item identification plan
CMA_C1231 - Develop configuration item identification plan
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Develop SSP that meets criteria
CMA_C1492 - Develop SSP that meets criteria
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Event Hub should use a virtual network service endpoint
This policy audits any Event Hub not configured to use a virtual network service endpoint.
AuditIfNotExists, Disabled
1.0.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Review and update the information security architecture
CMA_C1504 - Review and update the information security architecture
Manual, Disabled
1.1.0
0864.09m2Organizational.12-09.m 09.06 Network Security Management
ID : 0864.09m2Organizational.12-09.m
Ownership : Shared
Expand table
0865.09m2Organizational.13-09.m 09.06 Network Security Management
ID : 0865.09m2Organizational.13-09.m
Ownership : Shared
Expand table
0866.09m3Organizational.1516-09.m 09.06 Network Security Management
ID : 0866.09m3Organizational.1516-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Develop SSP that meets criteria
CMA_C1492 - Develop SSP that meets criteria
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Review and update system and communications protection policies and procedures
CMA_C1616 - Review and update system and communications protection policies and procedures
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
Storage accounts should restrict network access
Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges
Audit, Deny, Disabled
1.1.1
0868.09m3Organizational.18-09.m 09.06 Network Security Management
ID : 0868.09m3Organizational.18-09.m
Ownership : Shared
Expand table
0869.09m3Organizational.19-09.m 09.06 Network Security Management
ID : 0869.09m3Organizational.19-09.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint
This policy audits any Container Registry not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0-preview
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Create configuration plan protection
CMA_C1233 - Create configuration plan protection
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Develop configuration item identification plan
CMA_C1231 - Develop configuration item identification plan
Manual, Disabled
1.1.0
Develop configuration management plan
CMA_C1232 - Develop configuration management plan
Manual, Disabled
1.1.0
Employ automatic shutdown/restart when violations are detected
CMA_C1715 - Employ automatic shutdown/restart when violations are detected
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
0870.09m3Organizational.20-09.m 09.06 Network Security Management
ID : 0870.09m3Organizational.20-09.m
Ownership : Shared
Expand table
0871.09m3Organizational.22-09.m 09.06 Network Security Management
ID : 0871.09m3Organizational.22-09.m
Ownership : Shared
Expand table
0885.09n2Organizational.3-09.n 09.06 Network Security Management
ID : 0885.09n2Organizational.3-09.n
Ownership : Shared
Expand table
0886.09n2Organizational.4-09.n 09.06 Network Security Management
ID : 0886.09n2Organizational.4-09.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Employ restrictions on external system interconnections
CMA_C1155 - Employ restrictions on external system interconnections
Manual, Disabled
1.1.0
Network Watcher should be enabled
Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.
AuditIfNotExists, Disabled
3.0.0
0887.09n2Organizational.5-09.n 09.06 Network Security Management
ID : 0887.09n2Organizational.5-09.n
Ownership : Shared
Expand table
0888.09n2Organizational.6-09.n 09.06 Network Security Management
ID : 0888.09n2Organizational.6-09.n
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Ensure external providers consistently meet interests of the customers
CMA_C1592 - Ensure external providers consistently meet interests of the customers
Manual, Disabled
1.1.0
Network Watcher should be enabled
Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.
AuditIfNotExists, Disabled
3.0.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
0894.01m2Organizational.7-01.m 01.04 Network Access Control
ID : 0894.01m2Organizational.7-01.m
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint
This policy audits any Container Registry not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0-preview
App Service apps should use a virtual network service endpoint
Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint .
AuditIfNotExists, Disabled
2.0.1
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Cosmos DB should use a virtual network service endpoint
This policy audits any Cosmos DB not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
Deploy network watcher when virtual networks are created
This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.
DeployIfNotExists
1.0.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Event Hub should use a virtual network service endpoint
This policy audits any Event Hub not configured to use a virtual network service endpoint.
AuditIfNotExists, Disabled
1.0.0
Gateway subnets should not be configured with a network security group
This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.
deny
1.0.0
Internet-facing virtual machines should be protected with network security groups
Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc
AuditIfNotExists, Disabled
3.0.0
Key Vault should use a virtual network service endpoint
This policy audits any Key Vault not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Route traffic through authenticated proxy network
CMA_C1633 - Route traffic through authenticated proxy network
Manual, Disabled
1.1.0
SQL Server should use a virtual network service endpoint
This policy audits any SQL Server not configured to use a virtual network service endpoint.
AuditIfNotExists, Disabled
1.0.0
Storage Accounts should use a virtual network service endpoint
This policy audits any Storage Account not configured to use a virtual network service endpoint.
Audit, Disabled
1.0.0
Subnets should be associated with a Network Security Group
Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
AuditIfNotExists, Disabled
3.0.0
Virtual machines should be connected to an approved virtual network
This policy audits any virtual machine connected to a virtual network that is not approved.
Audit, Deny, Disabled
1.0.0
ID : 1699.09l1Organizational.10 - 09.l
Ownership : Customer
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Azure Backup should be enabled for Virtual Machines
Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.
AuditIfNotExists, Disabled
3.0.0
Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends).
ID : 0867.09m3Organizational.17 - 09.m
Ownership : Customer
Expand table
The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction.
ID : 0946.09y2Organizational.14 - 09.y
Ownership : Customer
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
09 Transmission Protection
ID : 0901.09s1Organizational.1-09.s
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should not have CORS configured to allow every resource to access your apps
Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.
AuditIfNotExists, Disabled
2.0.0
Categorize information
CMA_0052 - Categorize information
Manual, Disabled
1.1.0
Configure actions for noncompliant devices
CMA_0062 - Configure actions for noncompliant devices
Manual, Disabled
1.1.0
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop and maintain baseline configurations
CMA_0153 - Develop and maintain baseline configurations
Manual, Disabled
1.1.0
Develop business classification schemes
CMA_0155 - Develop business classification schemes
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Enforce security configuration settings
CMA_0249 - Enforce security configuration settings
Manual, Disabled
1.1.0
Ensure security categorization is approved
CMA_C1540 - Ensure security categorization is approved
Manual, Disabled
1.1.0
Establish a configuration control board
CMA_0254 - Establish a configuration control board
Manual, Disabled
1.1.0
Establish a data leakage management procedure
CMA_0255 - Establish a data leakage management procedure
Manual, Disabled
1.1.0
Establish and document a configuration management plan
CMA_0264 - Establish and document a configuration management plan
Manual, Disabled
1.1.0
Establish terms and conditions for processing resources
CMA_C1077 - Establish terms and conditions for processing resources
Manual, Disabled
1.1.0
Implement an automated configuration management tool
CMA_0311 - Implement an automated configuration management tool
Manual, Disabled
1.1.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Perform information input validation
CMA_C1723 - Perform information input validation
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Protect special information
CMA_0409 - Protect special information
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
ID : 0902.09s2Organizational.13-09.s
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Authorize remote access to privileged commands
CMA_C1064 - Authorize remote access to privileged commands
Manual, Disabled
1.1.0
Document mobility training
CMA_0191 - Document mobility training
Manual, Disabled
1.1.0
Document remote access guidelines
CMA_0196 - Document remote access guidelines
Manual, Disabled
1.1.0
Establish terms and conditions for accessing resources
CMA_C1076 - Establish terms and conditions for accessing resources
Manual, Disabled
1.1.0
Establish terms and conditions for processing resources
CMA_C1077 - Establish terms and conditions for processing resources
Manual, Disabled
1.1.0
Function apps should not have CORS configured to allow every resource to access your apps
Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.
AuditIfNotExists, Disabled
2.0.0
Implement controls to secure alternate work sites
CMA_0315 - Implement controls to secure alternate work sites
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify users of system logon or access
CMA_0382 - Notify users of system logon or access
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Provide capability to disconnect or disable remote access
CMA_C1066 - Provide capability to disconnect or disable remote access
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls
ID : 0903.10f1Organizational.1-10.f
Ownership : Shared
Expand table
0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls
ID : 0904.10f2Organizational.1-10.f
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authenticate to cryptographic module
CMA_0021 - Authenticate to cryptographic module
Manual, Disabled
1.1.0
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Define organizational requirements for cryptographic key management
CMA_0123 - Define organizational requirements for cryptographic key management
Manual, Disabled
1.1.0
Determine assertion requirements
CMA_0136 - Determine assertion requirements
Manual, Disabled
1.1.0
Issue public key certificates
CMA_0347 - Issue public key certificates
Manual, Disabled
1.1.0
Manage symmetric cryptographic keys
CMA_0367 - Manage symmetric cryptographic keys
Manual, Disabled
1.1.0
Produce, control and distribute symmetric cryptographic keys
CMA_C1645 - Produce, control and distribute symmetric cryptographic keys
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Restrict access to private keys
CMA_0445 - Restrict access to private keys
Manual, Disabled
1.1.0
ID : 0912.09s1Organizational.4-09.s
Ownership : Shared
Expand table
ID : 0913.09s1Organizational.5-09.s
Ownership : Shared
Expand table
ID : 0914.09s1Organizational.6-09.s
Ownership : Shared
Expand table
ID : 0915.09s2Organizational.2-09.s
Ownership : Shared
Expand table
ID : 0916.09s2Organizational.4-09.s
Ownership : Shared
Expand table
ID : 0926.09v1Organizational.2-09.v
Ownership : Shared
Expand table
ID : 0927.09v1Organizational.3-09.v
Ownership : Shared
Expand table
ID : 0928.09v1Organizational.45-09.v
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Secure the interface to external systems
CMA_0491 - Secure the interface to external systems
Manual, Disabled
1.1.0
ID : 0929.09v1Organizational.6-09.v
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Control information flow
CMA_0079 - Control information flow
Manual, Disabled
1.1.0
Establish firewall and router configuration standards
CMA_0272 - Establish firewall and router configuration standards
Manual, Disabled
1.1.0
Establish network segmentation for card holder data environment
CMA_0273 - Establish network segmentation for card holder data environment
Manual, Disabled
1.1.0
Identify and manage downstream information exchanges
CMA_0298 - Identify and manage downstream information exchanges
Manual, Disabled
1.1.0
Implement a fault tolerant name/address service
CMA_0305 - Implement a fault tolerant name/address service
Manual, Disabled
1.1.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Provide secure name and address resolution services
CMA_0416 - Provide secure name and address resolution services
Manual, Disabled
1.1.0
0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services
ID : 0943.09y1Organizational.1-09.y
Ownership : Shared
Expand table
0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services
ID : 0944.09y1Organizational.2-09.y
Ownership : Shared
Expand table
0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services
ID : 0945.09y1Organizational.3-09.y
Ownership : Shared
Expand table
0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services
ID : 0947.09y2Organizational.2-09.y
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Create separate alternate and primary storage sites
CMA_C1269 - Create separate alternate and primary storage sites
Manual, Disabled
1.1.0
Employ a media sanitization mechanism
CMA_0208 - Employ a media sanitization mechanism
Manual, Disabled
1.1.0
Enforce SSL connection should be enabled for PostgreSQL database servers
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Ensure alternate storage site safeguards are equivalent to primary site
CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site
Manual, Disabled
1.1.0
Establish a data leakage management procedure
CMA_0255 - Establish a data leakage management procedure
Manual, Disabled
1.1.0
Establish alternate storage site to store and retrieve backup information
CMA_C1267 - Establish alternate storage site to store and retrieve backup information
Manual, Disabled
1.1.0
Govern and monitor audit processing activities
CMA_0289 - Govern and monitor audit processing activities
Manual, Disabled
1.1.0
Manage the transportation of assets
CMA_0370 - Manage the transportation of assets
Manual, Disabled
1.1.0
Protect special information
CMA_0409 - Protect special information
Manual, Disabled
1.1.0
Restrict location of information processing, storage and services
CMA_C1593 - Restrict location of information processing, storage and services
Manual, Disabled
1.1.0
Transfer backup information to an alternate storage site
CMA_C1294 - Transfer backup information to an alternate storage site
Manual, Disabled
1.1.0
0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services
ID : 0948.09y2Organizational.3-09.y
Ownership : Shared
Expand table
0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services
ID : 0949.09y2Organizational.5-09.y
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
App Service apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Function apps should use the latest TLS version
Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
AuditIfNotExists, Disabled
2.1.0
Identify external service providers
CMA_C1591 - Identify external service providers
Manual, Disabled
1.1.0
Require developer to identify SDLC ports, protocols, and services
CMA_C1578 - Require developer to identify SDLC ports, protocols, and services
Manual, Disabled
1.1.0
ID : 0960.09sCSPOrganizational.1-09.s
Ownership : Shared
Expand table
099.09m2Organizational.11-09.m 09.06 Network Security Management
ID : 099.09m2Organizational.11-09.m
Ownership : Shared
Expand table
ID : 1002.01d1System.1-01.d
Ownership : Shared
Expand table
ID : 1003.01d1System.3-01.d
Ownership : Shared
Expand table
ID : 1004.01d1System.8913-01.d
Ownership : Shared
Expand table
ID : 1005.01d1System.1011-01.d
Ownership : Shared
Expand table
ID : 1006.01d2System.1-01.d
Ownership : Shared
Expand table
ID : 1007.01d2System.2-01.d
Ownership : Shared
Expand table
ID : 1008.01d2System.3-01.d
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document organizational access agreements
CMA_0192 - Document organizational access agreements
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Establish a data leakage management procedure
CMA_0255 - Establish a data leakage management procedure
Manual, Disabled
1.1.0
Notify users of system logon or access
CMA_0382 - Notify users of system logon or access
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Protect special information
CMA_0409 - Protect special information
Manual, Disabled
1.1.0
Require users to sign access agreement
CMA_0440 - Require users to sign access agreement
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update organizational access agreements
CMA_0520 - Update organizational access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
ID : 1009.01d2System.4-01.d
Ownership : Shared
Expand table
ID : 1014.01d1System.12-01.d
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Establish a password policy
CMA_0256 - Establish a password policy
Manual, Disabled
1.1.0
Establish authenticator types and processes
CMA_0267 - Establish authenticator types and processes
Manual, Disabled
1.1.0
Establish procedures for initial authenticator distribution
CMA_0276 - Establish procedures for initial authenticator distribution
Manual, Disabled
1.1.0
Implement parameters for memorized secret verifiers
CMA_0321 - Implement parameters for memorized secret verifiers
Manual, Disabled
1.1.0
Implement training for protecting authenticators
CMA_0329 - Implement training for protecting authenticators
Manual, Disabled
1.1.0
Manage authenticator lifetime and reuse
CMA_0355 - Manage authenticator lifetime and reuse
Manual, Disabled
1.1.0
Manage Authenticators
CMA_C1321 - Manage Authenticators
Manual, Disabled
1.1.0
Refresh authenticators
CMA_0425 - Refresh authenticators
Manual, Disabled
1.1.0
Reissue authenticators for changed groups and accounts
CMA_0426 - Reissue authenticators for changed groups and accounts
Manual, Disabled
1.1.0
Verify identity before distributing authenticators
CMA_0538 - Verify identity before distributing authenticators
Manual, Disabled
1.1.0
ID : 1015.01d1System.14-01.d
Ownership : Shared
Expand table
ID : 1022.01d1System.15-01.d
Ownership : Shared
Expand table
ID : 1031.01d1System.34510-01.d
Ownership : Shared
Expand table
ID : 1106.01b1System.1-01.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assign account managers
CMA_0015 - Assign account managers
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Document access privileges
CMA_0186 - Document access privileges
Manual, Disabled
1.1.0
Establish conditions for role membership
CMA_0269 - Establish conditions for role membership
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
Verify identity before distributing authenticators
CMA_0538 - Verify identity before distributing authenticators
Manual, Disabled
1.1.0
ID : 1107.01b1System.2-01.b
Ownership : Shared
Expand table
ID : 1108.01b1System.3-01.b
Ownership : Shared
Expand table
ID : 1109.01b1System.479-01.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct exit interview upon termination
CMA_0058 - Conduct exit interview upon termination
Manual, Disabled
1.1.0
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Disable authenticators upon termination
CMA_0169 - Disable authenticators upon termination
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Initiate transfer or reassignment actions
CMA_0333 - Initiate transfer or reassignment actions
Manual, Disabled
1.1.0
Manage Authenticators
CMA_C1321 - Manage Authenticators
Manual, Disabled
1.1.0
Modify access authorizations upon personnel transfer
CMA_0374 - Modify access authorizations upon personnel transfer
Manual, Disabled
1.1.0
Notify upon termination or transfer
CMA_0381 - Notify upon termination or transfer
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Protect against and prevent data theft from departing employees
CMA_0398 - Protect against and prevent data theft from departing employees
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide security awareness training for insider threats
CMA_0417 - Provide security awareness training for insider threats
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Reevaluate access upon personnel transfer
CMA_0424 - Reevaluate access upon personnel transfer
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
Verify identity before distributing authenticators
CMA_0538 - Verify identity before distributing authenticators
Manual, Disabled
1.1.0
ID : 1110.01b1System.5-01.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define and enforce conditions for shared and group accounts
CMA_0117 - Define and enforce conditions for shared and group accounts
Manual, Disabled
1.1.0
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Reissue authenticators for changed groups and accounts
CMA_0426 - Reissue authenticators for changed groups and accounts
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
11109.01q1Organizational.57-01.q 01.05 Operating System Access Control
ID : 11109.01q1Organizational.57-01.q
Ownership : Shared
Expand table
ID : 1111.01b2System.1-01.b
Ownership : Shared
Expand table
11111.01q2System.4-01.q 01.05 Operating System Access Control
ID : 11111.01q2System.4-01.q
Ownership : Shared
Expand table
11112.01q2Organizational.67-01.q 01.05 Operating System Access Control
ID : 11112.01q2Organizational.67-01.q
Ownership : Shared
Expand table
ID : 1112.01b2System.2-01.b
Ownership : Shared
Expand table
11126.01t1Organizational.12-01.t 01.05 Operating System Access Control
ID : 11126.01t1Organizational.12-01.t
Ownership : Shared
Expand table
1114.01h1Organizational.123-01.h 01.03 User Responsibilities
ID : 1114.01h1Organizational.123-01.h
Ownership : Shared
Expand table
11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment
ID : 11154.02i1Organizational.5-02.i
Ownership : Shared
Expand table
11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment
ID : 11155.02i2Organizational.2-02.i
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Conduct exit interview upon termination
CMA_0058 - Conduct exit interview upon termination
Manual, Disabled
1.1.0
Disable authenticators upon termination
CMA_0169 - Disable authenticators upon termination
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Notify upon termination or transfer
CMA_0381 - Notify upon termination or transfer
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Protect against and prevent data theft from departing employees
CMA_0398 - Protect against and prevent data theft from departing employees
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
1116.01j1Organizational.145-01.j 01.04 Network Access Control
ID : 1116.01j1Organizational.145-01.j
Ownership : Shared
Expand table
1118.01j2Organizational.124-01.j 01.04 Network Access Control
ID : 1118.01j2Organizational.124-01.j
Ownership : Shared
Expand table
ID : 11180.01c3System.6-01.c
Ownership : Shared
Expand table
1119.01j2Organizational.3-01.j 01.04 Network Access Control
ID : 1119.01j2Organizational.3-01.j
Ownership : Shared
Expand table
11190.01t1Organizational.3-01.t 01.05 Operating System Access Control
ID : 11190.01t1Organizational.3-01.t
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Identify and authenticate network devices
CMA_0296 - Identify and authenticate network devices
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
1120.09ab3System.9-09.ab 09.10 Monitoring
ID : 1120.09ab3System.9-09.ab
Ownership : Shared
Expand table
1121.01j3Organizational.2-01.j 01.04 Network Access Control
ID : 1121.01j3Organizational.2-01.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adopt biometric authentication mechanisms
CMA_0005 - Adopt biometric authentication mechanisms
Manual, Disabled
1.1.0
Authorize remote access
CMA_0024 - Authorize remote access
Manual, Disabled
1.1.0
Document mobility training
CMA_0191 - Document mobility training
Manual, Disabled
1.1.0
Document remote access guidelines
CMA_0196 - Document remote access guidelines
Manual, Disabled
1.1.0
Enforce user uniqueness
CMA_0250 - Enforce user uniqueness
Manual, Disabled
1.1.0
Identify and authenticate network devices
CMA_0296 - Identify and authenticate network devices
Manual, Disabled
1.1.0
Implement controls to secure alternate work sites
CMA_0315 - Implement controls to secure alternate work sites
Manual, Disabled
1.1.0
Notify users of system logon or access
CMA_0382 - Notify users of system logon or access
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Support personal verification credentials issued by legal authorities
CMA_0507 - Support personal verification credentials issued by legal authorities
Manual, Disabled
1.1.0
ID : 11219.01b1Organizational.10-01.b
Ownership : Shared
Expand table
1122.01q1System.1-01.q 01.05 Operating System Access Control
ID : 1122.01q1System.1-01.q
Ownership : Shared
Expand table
ID : 11220.01b1System.10-01.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assign account managers
CMA_0015 - Assign account managers
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Conduct exit interview upon termination
CMA_0058 - Conduct exit interview upon termination
Manual, Disabled
1.1.0
Define and enforce conditions for shared and group accounts
CMA_0117 - Define and enforce conditions for shared and group accounts
Manual, Disabled
1.1.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Disable authenticators upon termination
CMA_0169 - Disable authenticators upon termination
Manual, Disabled
1.1.0
Document access privileges
CMA_0186 - Document access privileges
Manual, Disabled
1.1.0
Establish conditions for role membership
CMA_0269 - Establish conditions for role membership
Manual, Disabled
1.1.0
Initiate transfer or reassignment actions
CMA_0333 - Initiate transfer or reassignment actions
Manual, Disabled
1.1.0
Manage Authenticators
CMA_C1321 - Manage Authenticators
Manual, Disabled
1.1.0
Modify access authorizations upon personnel transfer
CMA_0374 - Modify access authorizations upon personnel transfer
Manual, Disabled
1.1.0
Monitor account activity
CMA_0377 - Monitor account activity
Manual, Disabled
1.1.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Notify upon termination or transfer
CMA_0381 - Notify upon termination or transfer
Manual, Disabled
1.1.0
Protect against and prevent data theft from departing employees
CMA_0398 - Protect against and prevent data theft from departing employees
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Reevaluate access upon personnel transfer
CMA_0424 - Reevaluate access upon personnel transfer
Manual, Disabled
1.1.0
Reissue authenticators for changed groups and accounts
CMA_0426 - Reissue authenticators for changed groups and accounts
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
1123.01q1System.2-01.q 01.05 Operating System Access Control
ID : 1123.01q1System.2-01.q
Ownership : Shared
Expand table
1124.01q1System.34-01.q 01.05 Operating System Access Control
ID : 1124.01q1System.34-01.q
Ownership : Shared
Expand table
1125.01q2System.1-01.q 01.05 Operating System Access Control
ID : 1125.01q2System.1-01.q
Ownership : Shared
Expand table
1127.01q2System.3-01.q 01.05 Operating System Access Control
ID : 1127.01q2System.3-01.q
Ownership : Shared
Expand table
1128.01q2System.5-01.q 01.05 Operating System Access Control
ID : 1128.01q2System.5-01.q
Ownership : Shared
Expand table
ID : 1129.01v1System.12-01.v
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Define information system account types
CMA_0121 - Define information system account types
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Monitor account activity
CMA_0377 - Monitor account activity
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
ID : 1130.01v2System.1-01.v
Ownership : Shared
Expand table
ID : 1131.01v2System.2-01.v
Ownership : Shared
Expand table
ID : 1132.01v2System.3-01.v
Ownership : Shared
Expand table
ID : 1133.01v2System.4-01.v
Ownership : Shared
Expand table
ID : 1134.01v3System.1-01.v
Ownership : Shared
Expand table
1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment
ID : 1135.02i1Organizational.1234-02.i
Ownership : Shared
Expand table
1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment
ID : 1136.02i2Organizational.1-02.i
Ownership : Shared
Expand table
1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements
ID : 1137.06e1Organizational.1-06.e
Ownership : Shared
Expand table
ID : 1139.01b1System.68-01.b
Ownership : Shared
Expand table
ID : 1143.01c1System.123-01.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Management ports should be closed on your virtual machines
Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.
AuditIfNotExists, Disabled
3.0.0
Monitor account activity
CMA_0377 - Monitor account activity
Manual, Disabled
1.1.0
Notify Account Managers of customer controlled accounts
CMA_C1009 - Notify Account Managers of customer controlled accounts
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
ID : 1144.01c1System.4-01.c
Ownership : Shared
Expand table
ID : 1145.01c2System.1-01.c
Ownership : Shared
Expand table
ID : 1146.01c2System.23-01.c
Ownership : Shared
Expand table
ID : 1147.01c2System.456-01.c
Ownership : Shared
Expand table
ID : 1148.01c2System.78-01.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit usage of custom RBAC roles
Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling
Audit, Disabled
1.0.1
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'Security Options - Accounts'
Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
ID : 1150.01c2System.10-01.c
Ownership : Shared
Expand table
ID : 1151.01c3System.1-01.c
Ownership : Shared
Expand table
ID : 1152.01c3System.2-01.c
Ownership : Shared
Expand table
ID : 1153.01c3System.35-01.c
Ownership : Shared
Expand table
ID : 1166.01e1System.12-01.e
Ownership : Shared
Expand table
ID : 1167.01e2System.1-01.e
Ownership : Shared
Expand table
ID : 1168.01e2System.2-01.e
Ownership : Shared
Expand table
1175.01j1Organizational.8-01.j 01.04 Network Access Control
ID : 1175.01j1Organizational.8-01.j
Ownership : Shared
Expand table
1178.01j2Organizational.7-01.j 01.04 Network Access Control
ID : 1178.01j2Organizational.7-01.j
Ownership : Shared
Expand table
1179.01j3Organizational.1-01.j 01.04 Network Access Control
ID : 1179.01j3Organizational.1-01.j
Ownership : Shared
Expand table
1192.01l1Organizational.1-01.l 01.04 Network Access Control
ID : 1192.01l1Organizational.1-01.l
Ownership : Shared
Expand table
1193.01l2Organizational.13-01.l 01.04 Network Access Control
ID : 1193.01l2Organizational.13-01.l
Ownership : Shared
Expand table
1194.01l2Organizational.2-01.l 01.04 Network Access Control
ID : 1194.01l2Organizational.2-01.l
Ownership : Shared
Expand table
1195.01l3Organizational.1-01.l 01.04 Network Access Control
ID : 1195.01l3Organizational.1-01.l
Ownership : Shared
Expand table
12 Audit Logging & Monitoring
1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements
ID : 1201.06e1Organizational.2-06.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Implement privacy notice delivery methods
CMA_0324 - Implement privacy notice delivery methods
Manual, Disabled
1.1.0
Obtain consent prior to collection or processing of personal data
CMA_0385 - Obtain consent prior to collection or processing of personal data
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Provide privacy notice
CMA_0414 - Provide privacy notice
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
1202.09aa1System.1-09.aa 09.10 Monitoring
ID : 1202.09aa1System.1-09.aa
Ownership : Shared
Expand table
1203.09aa1System.2-09.aa 09.10 Monitoring
ID : 1203.09aa1System.2-09.aa
Ownership : Shared
Expand table
1204.09aa1System.3-09.aa 09.10 Monitoring
ID : 1204.09aa1System.3-09.aa
Ownership : Shared
Expand table
1205.09aa2System.1-09.aa 09.10 Monitoring
ID : 1205.09aa2System.1-09.aa
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure Azure Audit capabilities
CMA_C1108 - Configure Azure Audit capabilities
Manual, Disabled
1.1.1
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Ensure audit records are not altered
CMA_C1125 - Ensure audit records are not altered
Manual, Disabled
1.1.0
Provide audit review, analysis, and reporting capability
CMA_C1124 - Provide audit review, analysis, and reporting capability
Manual, Disabled
1.1.0
Provide capability to process customer-controlled audit records
CMA_C1126 - Provide capability to process customer-controlled audit records
Manual, Disabled
1.1.0
Resource logs in Batch accounts should be enabled
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
AuditIfNotExists, Disabled
5.0.0
1206.09aa2System.23-09.aa 09.10 Monitoring
ID : 1206.09aa2System.23-09.aa
Ownership : Shared
Expand table
1207.09aa2System.4-09.aa 09.10 Monitoring
ID : 1207.09aa2System.4-09.aa
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Configure Azure Audit capabilities
CMA_C1108 - Configure Azure Audit capabilities
Manual, Disabled
1.1.1
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Enable dual or joint authorization
CMA_0226 - Enable dual or joint authorization
Manual, Disabled
1.1.0
Govern and monitor audit processing activities
CMA_0289 - Govern and monitor audit processing activities
Manual, Disabled
1.1.0
Protect audit information
CMA_0401 - Protect audit information
Manual, Disabled
1.1.0
Resource logs in Azure Stream Analytics should be enabled
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
AuditIfNotExists, Disabled
5.0.0
Resource logs in Event Hub should be enabled
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
AuditIfNotExists, Disabled
5.0.0
Retain security policies and procedures
CMA_0454 - Retain security policies and procedures
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
1208.09aa3System.1-09.aa 09.10 Monitoring
ID : 1208.09aa3System.1-09.aa
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Conduct a security impact analysis
CMA_0057 - Conduct a security impact analysis
Manual, Disabled
1.1.0
Configure Azure Audit capabilities
CMA_C1108 - Configure Azure Audit capabilities
Manual, Disabled
1.1.1
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Develop and maintain a vulnerability management standard
CMA_0152 - Develop and maintain a vulnerability management standard
Manual, Disabled
1.1.0
Establish a risk management strategy
CMA_0258 - Establish a risk management strategy
Manual, Disabled
1.1.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Perform a privacy impact assessment
CMA_0387 - Perform a privacy impact assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Resource logs in Search services should be enabled
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
AuditIfNotExists, Disabled
5.0.0
Resource logs in Service Bus should be enabled
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
AuditIfNotExists, Disabled
5.0.0
Verify software, firmware and information integrity
CMA_0542 - Verify software, firmware and information integrity
Manual, Disabled
1.1.0
1209.09aa3System.2-09.aa 09.10 Monitoring
ID : 1209.09aa3System.2-09.aa
Ownership : Shared
Expand table
1210.09aa3System.3-09.aa 09.10 Monitoring
ID : 1210.09aa3System.3-09.aa
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Audit diagnostic setting for selected resource types
Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.
AuditIfNotExists
2.0.1
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Resource logs in Data Lake Analytics should be enabled
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
AuditIfNotExists, Disabled
5.0.0
Retain security policies and procedures
CMA_0454 - Retain security policies and procedures
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review and update the events defined in AU-02
CMA_C1106 - Review and update the events defined in AU-02
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Use system clocks for audit records
CMA_0535 - Use system clocks for audit records
Manual, Disabled
1.1.0
12100.09ab2System.15-09.ab 09.10 Monitoring
ID : 12100.09ab2System.15-09.ab
Ownership : Shared
Expand table
12101.09ab1Organizational.3-09.ab 09.10 Monitoring
ID : 12101.09ab1Organizational.3-09.ab
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adjust level of audit review, analysis, and reporting
CMA_C1123 - Adjust level of audit review, analysis, and reporting
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Develop audit and accountability policies and procedures
CMA_0154 - Develop audit and accountability policies and procedures
Manual, Disabled
1.1.0
Develop information security policies and procedures
CMA_0158 - Develop information security policies and procedures
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Govern policies and procedures
CMA_0292 - Govern policies and procedures
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Specify permitted actions associated with customer audit information
CMA_C1122 - Specify permitted actions associated with customer audit information
Manual, Disabled
1.1.0
The Log Analytics extension should be installed on Virtual Machine Scale Sets
This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed.
AuditIfNotExists, Disabled
1.0.1
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
12102.09ab1Organizational.4-09.ab 09.10 Monitoring
ID : 12102.09ab1Organizational.4-09.ab
Ownership : Shared
Expand table
12103.09ab1Organizational.5-09.ab 09.10 Monitoring
ID : 12103.09ab1Organizational.5-09.ab
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
1211.09aa3System.4-09.aa 09.10 Monitoring
ID : 1211.09aa3System.4-09.aa
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Auditing on SQL server should be enabled
Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.
AuditIfNotExists, Disabled
2.0.0
Establish and document change control processes
CMA_0265 - Establish and document change control processes
Manual, Disabled
1.1.0
Establish configuration management requirements for developers
CMA_0270 - Establish configuration management requirements for developers
Manual, Disabled
1.1.0
Perform audit for configuration change control
CMA_0390 - Perform audit for configuration change control
Manual, Disabled
1.1.0
Perform disposition review
CMA_0391 - Perform disposition review
Manual, Disabled
1.1.0
Resource logs in Azure Key Vault Managed HSM should be enabled
To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging .
AuditIfNotExists, Disabled
1.1.0
Resource logs in Key Vault should be enabled
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised
AuditIfNotExists, Disabled
5.0.0
Verify personal data is deleted at the end of processing
CMA_0540 - Verify personal data is deleted at the end of processing
Manual, Disabled
1.1.0
1212.09ab1System.1-09.ab 09.10 Monitoring
ID : 1212.09ab1System.1-09.ab
Ownership : Shared
Expand table
1213.09ab2System.128-09.ab 09.10 Monitoring
ID : 1213.09ab2System.128-09.ab
Ownership : Shared
Expand table
1214.09ab2System.3456-09.ab 09.10 Monitoring
ID : 1214.09ab2System.3456-09.ab
Ownership : Shared
Expand table
1215.09ab2System.7-09.ab 09.10 Monitoring
ID : 1215.09ab2System.7-09.ab
Ownership : Shared
Expand table
1216.09ab3System.12-09.ab 09.10 Monitoring
ID : 1216.09ab3System.12-09.ab
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Alert personnel of information spillage
CMA_0007 - Alert personnel of information spillage
Manual, Disabled
1.1.0
Configure Azure Audit capabilities
CMA_C1108 - Configure Azure Audit capabilities
Manual, Disabled
1.1.1
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review and update the events defined in AU-02
CMA_C1106 - Review and update the events defined in AU-02
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
The Log Analytics extension should be installed on Virtual Machine Scale Sets
This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed.
AuditIfNotExists, Disabled
1.0.1
Turn on sensors for endpoint security solution
CMA_0514 - Turn on sensors for endpoint security solution
Manual, Disabled
1.1.0
1217.09ab3System.3-09.ab 09.10 Monitoring
ID : 1217.09ab3System.3-09.ab
Ownership : Shared
Expand table
1218.09ab3System.47-09.ab 09.10 Monitoring
ID : 1218.09ab3System.47-09.ab
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Alert personnel of information spillage
CMA_0007 - Alert personnel of information spillage
Manual, Disabled
1.1.0
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
Turn on sensors for endpoint security solution
CMA_0514 - Turn on sensors for endpoint security solution
Manual, Disabled
1.1.0
1219.09ab3System.10-09.ab 09.10 Monitoring
ID : 1219.09ab3System.10-09.ab
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'
This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'
AuditIfNotExists, Disabled
1.0.0
Ensure audit records are not altered
CMA_C1125 - Ensure audit records are not altered
Manual, Disabled
1.1.0
Provide audit review, analysis, and reporting capability
CMA_C1124 - Provide audit review, analysis, and reporting capability
Manual, Disabled
1.1.0
Provide capability to process customer-controlled audit records
CMA_C1126 - Provide capability to process customer-controlled audit records
Manual, Disabled
1.1.0
1220.09ab3System.56-09.ab 09.10 Monitoring
ID : 1220.09ab3System.56-09.ab
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Verify software, firmware and information integrity
CMA_0542 - Verify software, firmware and information integrity
Manual, Disabled
1.1.0
View and configure system diagnostic data
CMA_0544 - View and configure system diagnostic data
Manual, Disabled
1.1.0
1222.09ab3System.8-09.ab 09.10 Monitoring
ID : 1222.09ab3System.8-09.ab
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Alert personnel of information spillage
CMA_0007 - Alert personnel of information spillage
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Disseminate security alerts to personnel
CMA_C1705 - Disseminate security alerts to personnel
Manual, Disabled
1.1.0
Establish a threat intelligence program
CMA_0260 - Establish a threat intelligence program
Manual, Disabled
1.1.0
Generate internal security alerts
CMA_C1704 - Generate internal security alerts
Manual, Disabled
1.1.0
Implement security directives
CMA_C1706 - Implement security directives
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Provide capability to process customer-controlled audit records
CMA_C1126 - Provide capability to process customer-controlled audit records
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures
ID : 1229.09c1Organizational.1-09.c
Ownership : Shared
Expand table
1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures
ID : 1230.09c2Organizational.1-09.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit usage of custom RBAC roles
Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling
Audit, Disabled
1.0.1
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Configure Azure Audit capabilities
CMA_C1108 - Configure Azure Audit capabilities
Manual, Disabled
1.1.1
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Separate duties of individuals
CMA_0492 - Separate duties of individuals
Manual, Disabled
1.1.0
1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures
ID : 1231.09c2Organizational.23-09.c
Ownership : Shared
Expand table
1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures
ID : 1232.09c3Organizational.12-09.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Conduct a full text analysis of logged privileged commands
CMA_0056 - Conduct a full text analysis of logged privileged commands
Manual, Disabled
1.1.0
Define access authorizations to support separation of duties
CMA_0116 - Define access authorizations to support separation of duties
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Document separation of duties
CMA_0204 - Document separation of duties
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enable dual or joint authorization
CMA_0226 - Enable dual or joint authorization
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Enforce software execution privileges
CMA_C1041 - Enforce software execution privileges
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Protect audit information
CMA_0401 - Protect audit information
Manual, Disabled
1.1.0
Reassign or remove user privileges as needed
CMA_C1040 - Reassign or remove user privileges as needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review user privileges
CMA_C1039 - Review user privileges
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Separate duties of individuals
CMA_0492 - Separate duties of individuals
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
Windows machines should meet requirements for 'User Rights Assignment'
Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol .
AuditIfNotExists, Disabled
3.0.0
1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures
ID : 1233.09c3Organizational.3-09.c
Ownership : Shared
Expand table
1270.09ad1System.12-09.ad 09.10 Monitoring
ID : 1270.09ad1System.12-09.ad
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
An activity log alert should exist for specific Administrative operations
This policy audits specific Administrative operations with no activity log alerts configured.
AuditIfNotExists, Disabled
1.0.0
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Conduct a full text analysis of logged privileged commands
CMA_0056 - Conduct a full text analysis of logged privileged commands
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
1271.09ad1System.1-09.ad 09.10 Monitoring
ID : 1271.09ad1System.1-09.ad
Ownership : Shared
Expand table
1271.09ad2System.1 09.10 Monitoring
ID : 1271.09ad2System.1
Ownership : Shared
Expand table
1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures
ID : 1276.09c2Organizational.2-09.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Conduct a full text analysis of logged privileged commands
CMA_0056 - Conduct a full text analysis of logged privileged commands
Manual, Disabled
1.1.0
Define access authorizations to support separation of duties
CMA_0116 - Define access authorizations to support separation of duties
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Document separation of duties
CMA_0204 - Document separation of duties
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Enforce software execution privileges
CMA_C1041 - Enforce software execution privileges
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Protect audit information
CMA_0401 - Protect audit information
Manual, Disabled
1.1.0
Reassign or remove user privileges as needed
CMA_C1040 - Reassign or remove user privileges as needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user privileges
CMA_C1039 - Review user privileges
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Separate duties of individuals
CMA_0492 - Separate duties of individuals
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures
ID : 1277.09c2Organizational.4-09.c
Ownership : Shared
Expand table
1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures
ID : 1278.09c2Organizational.56-09.c
Ownership : Shared
Expand table
1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures
ID : 1279.09c3Organizational.4-09.c
Ownership : Shared
Expand table
13 Education, Training and Awareness
1301.02e1Organizational.12-02.e 02.03 During Employment
ID : 1301.02e1Organizational.12-02.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Provide periodic role-based security training
CMA_C1095 - Provide periodic role-based security training
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide role-based practical exercises
CMA_C1096 - Provide role-based practical exercises
Manual, Disabled
1.1.0
Provide role-based security training
CMA_C1094 - Provide role-based security training
Manual, Disabled
1.1.0
Provide role-based training on suspicious activities
CMA_C1097 - Provide role-based training on suspicious activities
Manual, Disabled
1.1.0
Provide security awareness training for insider threats
CMA_0417 - Provide security awareness training for insider threats
Manual, Disabled
1.1.0
Provide security training before providing access
CMA_0418 - Provide security training before providing access
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
1302.02e2Organizational.134-02.e 02.03 During Employment
ID : 1302.02e2Organizational.134-02.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Document security and privacy training activities
CMA_0198 - Document security and privacy training activities
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Implement a threat awareness program
CMA_C1758 - Implement a threat awareness program
Manual, Disabled
1.1.0
Implement an insider threat program
CMA_C1751 - Implement an insider threat program
Manual, Disabled
1.1.0
Monitor security and privacy training completion
CMA_0379 - Monitor security and privacy training completion
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Provide security awareness training for insider threats
CMA_0417 - Provide security awareness training for insider threats
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Retain training records
CMA_0456 - Retain training records
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
1303.02e2Organizational.2-02.e 02.03 During Employment
ID : 1303.02e2Organizational.2-02.e
Ownership : Shared
Expand table
1304.02e3Organizational.1-02.e 02.03 During Employment
ID : 1304.02e3Organizational.1-02.e
Ownership : Shared
Expand table
1305.02e3Organizational.23-02.e 02.03 During Employment
ID : 1305.02e3Organizational.23-02.e
Ownership : Shared
Expand table
1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements
ID : 1306.06e1Organizational.5-06.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Implement formal sanctions process
CMA_0317 - Implement formal sanctions process
Manual, Disabled
1.1.0
Notify personnel upon sanctions
CMA_0380 - Notify personnel upon sanctions
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update information security policies
CMA_0518 - Update information security policies
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets
ID : 1307.07c1Organizational.124-07.c
Ownership : Shared
Expand table
1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code
ID : 1308.09j1Organizational.5-09.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop acceptable use policies and procedures
CMA_0143 - Develop acceptable use policies and procedures
Manual, Disabled
1.1.0
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Enforce rules of behavior and access agreements
CMA_0248 - Enforce rules of behavior and access agreements
Manual, Disabled
1.1.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking
ID : 1309.01x1System.36-01.x
Ownership : Shared
Expand table
1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking
ID : 1310.01y1Organizational.9-01.y
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Provide periodic role-based security training
CMA_C1095 - Provide periodic role-based security training
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Provide role-based practical exercises
CMA_C1096 - Provide role-based practical exercises
Manual, Disabled
1.1.0
Provide role-based security training
CMA_C1094 - Provide role-based security training
Manual, Disabled
1.1.0
Provide role-based training on suspicious activities
CMA_C1097 - Provide role-based training on suspicious activities
Manual, Disabled
1.1.0
Provide security awareness training for insider threats
CMA_0417 - Provide security awareness training for insider threats
Manual, Disabled
1.1.0
Provide security training before providing access
CMA_0418 - Provide security training before providing access
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
ID : 1311.12c2Organizational.3-12.c
Ownership : Shared
Expand table
1313.02e1Organizational.3-02.e 02.03 During Employment
ID : 1313.02e1Organizational.3-02.e
Ownership : Shared
Expand table
1314.02e2Organizational.5-02.e 02.03 During Employment
ID : 1314.02e2Organizational.5-02.e
Ownership : Shared
Expand table
1315.02e2Organizational.67-02.e 02.03 During Employment
ID : 1315.02e2Organizational.67-02.e
Ownership : Shared
Expand table
1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets
ID : 1324.07c1Organizational.3-07.c
Ownership : Shared
Expand table
ID : 1325.09s1Organizational.3-09.s
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop organization code of conduct policy
CMA_0159 - Develop organization code of conduct policy
Manual, Disabled
1.1.0
Document personnel acceptance of privacy requirements
CMA_0193 - Document personnel acceptance of privacy requirements
Manual, Disabled
1.1.0
Function apps should have remote debugging turned off
Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.
AuditIfNotExists, Disabled
2.0.0
Prohibit unfair practices
CMA_0396 - Prohibit unfair practices
Manual, Disabled
1.1.0
Provide periodic security awareness training
CMA_C1091 - Provide periodic security awareness training
Manual, Disabled
1.1.0
Provide privacy training
CMA_0415 - Provide privacy training
Manual, Disabled
1.1.0
Provide security training for new users
CMA_0419 - Provide security training for new users
Manual, Disabled
1.1.0
Provide updated security awareness training
CMA_C1090 - Provide updated security awareness training
Manual, Disabled
1.1.0
Review and sign revised rules of behavior
CMA_0465 - Review and sign revised rules of behavior
Manual, Disabled
1.1.0
Update rules of behavior and access agreements
CMA_0521 - Update rules of behavior and access agreements
Manual, Disabled
1.1.0
Update rules of behavior and access agreements every 3 years
CMA_0522 - Update rules of behavior and access agreements every 3 years
Manual, Disabled
1.1.0
1327.02e2Organizational.8-02.e 02.03 During Employment
ID : 1327.02e2Organizational.8-02.e
Ownership : Shared
Expand table
1331.02e3Organizational.4-02.e 02.03 During Employment
ID : 1331.02e3Organizational.4-02.e
Ownership : Shared
Expand table
1334.02e2Organizational.12-02.e 02.03 During Employment
ID : 1334.02e2Organizational.12-02.e
Ownership : Shared
Expand table
1336.02e1Organizational.5-02.e 02.03 During Employment
ID : 1336.02e1Organizational.5-02.e
Ownership : Shared
Expand table
1404.05i2Organizational.1-05.i 05.02 External Parties
ID : 1404.05i2Organizational.1-05.i
Ownership : Shared
Expand table
1406.05k1Organizational.110-05.k 05.02 External Parties
ID : 1406.05k1Organizational.110-05.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
1407.05k2Organizational.1-05.k 05.02 External Parties
ID : 1407.05k2Organizational.1-05.k
Ownership : Shared
Expand table
1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery
ID : 1408.09e1System.1-09.e
Ownership : Shared
Expand table
1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery
ID : 1409.09e2System.1-09.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Document third-party personnel security requirements
CMA_C1531 - Document third-party personnel security requirements
Manual, Disabled
1.1.0
Establish third-party personnel security requirements
CMA_C1529 - Establish third-party personnel security requirements
Manual, Disabled
1.1.0
Monitor third-party provider compliance
CMA_C1533 - Monitor third-party provider compliance
Manual, Disabled
1.1.0
Require third-party providers to comply with personnel security policies and procedures
CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures
Manual, Disabled
1.1.0
1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery
ID : 1410.09e2System.23-09.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery
ID : 1411.09f1System.1-09.f
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize, monitor, and control voip
CMA_0025 - Authorize, monitor, and control voip
Manual, Disabled
1.1.0
Detect network services that have not been authorized or approved
CMA_C1700 - Detect network services that have not been authorized or approved
Manual, Disabled
1.1.0
Disseminate security alerts to personnel
CMA_C1705 - Disseminate security alerts to personnel
Manual, Disabled
1.1.0
Document wireless access security controls
CMA_C1695 - Document wireless access security controls
Manual, Disabled
1.1.0
Establish a threat intelligence program
CMA_0260 - Establish a threat intelligence program
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Route traffic through managed network access points
CMA_0484 - Route traffic through managed network access points
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes
ID : 1416.10l1Organizational.1-10.l
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes
ID : 1417.10l2Organizational.1-10.l
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Require developers to produce evidence of security assessment plan execution
CMA_C1602 - Require developers to produce evidence of security assessment plan execution
Manual, Disabled
1.1.0
1419.05j1Organizational.12-05.j 05.02 External Parties
ID : 1419.05j1Organizational.12-05.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
1421.05j2Organizational.12-05.j 05.02 External Parties
ID : 1421.05j2Organizational.12-05.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
1422.05j2Organizational.3-05.j 05.02 External Parties
ID : 1422.05j2Organizational.3-05.j
Ownership : Shared
Expand table
1423.05j2Organizational.4-05.j 05.02 External Parties
ID : 1423.05j2Organizational.4-05.j
Ownership : Shared
Expand table
1424.05j2Organizational.5-05.j 05.02 External Parties
ID : 1424.05j2Organizational.5-05.j
Ownership : Shared
Expand table
1429.05k1Organizational.34-05.k 05.02 External Parties
ID : 1429.05k1Organizational.34-05.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Document third-party personnel security requirements
CMA_C1531 - Document third-party personnel security requirements
Manual, Disabled
1.1.0
Establish third-party personnel security requirements
CMA_C1529 - Establish third-party personnel security requirements
Manual, Disabled
1.1.0
Monitor third-party provider compliance
CMA_C1533 - Monitor third-party provider compliance
Manual, Disabled
1.1.0
Require third-party providers to comply with personnel security policies and procedures
CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures
Manual, Disabled
1.1.0
1430.05k1Organizational.56-05.k 05.02 External Parties
ID : 1430.05k1Organizational.56-05.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Document third-party personnel security requirements
CMA_C1531 - Document third-party personnel security requirements
Manual, Disabled
1.1.0
Establish third-party personnel security requirements
CMA_C1529 - Establish third-party personnel security requirements
Manual, Disabled
1.1.0
Require third-party providers to comply with personnel security policies and procedures
CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures
Manual, Disabled
1.1.0
1431.05k1Organizational.7-05.k 05.02 External Parties
ID : 1431.05k1Organizational.7-05.k
Ownership : Shared
Expand table
1432.05k1Organizational.89-05.k 05.02 External Parties
ID : 1432.05k1Organizational.89-05.k
Ownership : Shared
Expand table
1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery
ID : 1438.09e2System.4-09.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Ensure external providers consistently meet interests of the customers
CMA_C1592 - Ensure external providers consistently meet interests of the customers
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
1450.05i2Organizational.2-05.i 05.02 External Parties
ID : 1450.05i2Organizational.2-05.i
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess risk in third party relationships
CMA_0014 - Assess risk in third party relationships
Manual, Disabled
1.1.0
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Define requirements for supplying goods and services
CMA_0126 - Define requirements for supplying goods and services
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Enforce SSL connection should be enabled for PostgreSQL database servers
Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
Audit, Disabled
1.0.1
Establish policies for supply chain risk management
CMA_0275 - Establish policies for supply chain risk management
Manual, Disabled
1.1.0
Identify incident response personnel
CMA_0301 - Identify incident response personnel
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
1451.05iCSPOrganizational.2-05.i 05.02 External Parties
ID : 1451.05iCSPOrganizational.2-05.i
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess risk in third party relationships
CMA_0014 - Assess risk in third party relationships
Manual, Disabled
1.1.0
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Conduct a full text analysis of logged privileged commands
CMA_0056 - Conduct a full text analysis of logged privileged commands
Manual, Disabled
1.1.0
Define access authorizations to support separation of duties
CMA_0116 - Define access authorizations to support separation of duties
Manual, Disabled
1.1.0
Define and document government oversight
CMA_C1587 - Define and document government oversight
Manual, Disabled
1.1.0
Define requirements for supplying goods and services
CMA_0126 - Define requirements for supplying goods and services
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document separation of duties
CMA_0204 - Document separation of duties
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Enforce software execution privileges
CMA_C1041 - Enforce software execution privileges
Manual, Disabled
1.1.0
Establish policies for supply chain risk management
CMA_0275 - Establish policies for supply chain risk management
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Separate duties of individuals
CMA_0492 - Separate duties of individuals
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
1452.05kCSPOrganizational.1-05.k 05.02 External Parties
ID : 1452.05kCSPOrganizational.1-05.k
Ownership : Shared
Expand table
1453.05kCSPOrganizational.2-05.k 05.02 External Parties
ID : 1453.05kCSPOrganizational.2-05.k
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess risk in third party relationships
CMA_0014 - Assess risk in third party relationships
Manual, Disabled
1.1.0
Define requirements for supplying goods and services
CMA_0126 - Define requirements for supplying goods and services
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Ensure external providers consistently meet interests of the customers
CMA_C1592 - Ensure external providers consistently meet interests of the customers
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Establish policies for supply chain risk management
CMA_0275 - Establish policies for supply chain risk management
Manual, Disabled
1.1.0
Establish third-party personnel security requirements
CMA_C1529 - Establish third-party personnel security requirements
Manual, Disabled
1.1.0
Require external service providers to comply with security requirements
CMA_C1586 - Require external service providers to comply with security requirements
Manual, Disabled
1.1.0
Review cloud service provider's compliance with policies and agreements
CMA_0469 - Review cloud service provider's compliance with policies and agreements
Manual, Disabled
1.1.0
Undergo independent security review
CMA_0515 - Undergo independent security review
Manual, Disabled
1.1.0
1454.05kCSPOrganizational.3-05.k 05.02 External Parties
ID : 1454.05kCSPOrganizational.3-05.k
Ownership : Shared
Expand table
1455.05kCSPOrganizational.4-05.k 05.02 External Parties
ID : 1455.05kCSPOrganizational.4-05.k
Ownership : Shared
Expand table
1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery
ID : 1464.09e2Organizational.5-09.e
Ownership : Shared
Expand table
1501.02f1Organizational.123-02.f 02.03 During Employment
ID : 1501.02f1Organizational.123-02.f
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Implement formal sanctions process
CMA_0317 - Implement formal sanctions process
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Notify personnel upon sanctions
CMA_0380 - Notify personnel upon sanctions
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
1503.02f2Organizational.12-02.f 02.03 During Employment
ID : 1503.02f2Organizational.12-02.f
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Implement formal sanctions process
CMA_0317 - Implement formal sanctions process
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Implement Incident handling capability
CMA_C1367 - Implement Incident handling capability
Manual, Disabled
1.1.0
Notify personnel upon sanctions
CMA_0380 - Notify personnel upon sanctions
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements
ID : 1504.06e1Organizational.34-06.e
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Create a data inventory
CMA_0096 - Create a data inventory
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Enable detection of network devices
CMA_0220 - Enable detection of network devices
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Establish relationship between incident response capability and external providers
CMA_C1376 - Establish relationship between incident response capability and external providers
Manual, Disabled
1.1.0
Implement formal sanctions process
CMA_0317 - Implement formal sanctions process
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain records of processing of personal data
CMA_0353 - Maintain records of processing of personal data
Manual, Disabled
1.1.0
Notify personnel upon sanctions
CMA_0380 - Notify personnel upon sanctions
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
ID : 1505.11a1Organizational.13-11.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Conduct incident response testing
CMA_0060 - Conduct incident response testing
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Establish relationship between incident response capability and external providers
CMA_C1376 - Establish relationship between incident response capability and external providers
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Identify classes of Incidents and Actions taken
CMA_C1365 - Identify classes of Incidents and Actions taken
Manual, Disabled
1.1.0
Identify incident response personnel
CMA_0301 - Identify incident response personnel
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain data breach records
CMA_0351 - Maintain data breach records
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Protect incident response plan
CMA_0405 - Protect incident response plan
Manual, Disabled
1.1.0
Provide information spillage training
CMA_0413 - Provide information spillage training
Manual, Disabled
1.1.0
Run simulation attacks
CMA_0486 - Run simulation attacks
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : 1506.11a1Organizational.2-11.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Manage contacts for authorities and special interest groups
CMA_0359 - Manage contacts for authorities and special interest groups
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : 1507.11a1Organizational.4-11.a
Ownership : Shared
Expand table
ID : 1508.11a2Organizational.1-11.a
Ownership : Shared
Expand table
ID : 1509.11a2Organizational.236-11.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct incident response testing
CMA_0060 - Conduct incident response testing
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Identify classes of Incidents and Actions taken
CMA_C1365 - Identify classes of Incidents and Actions taken
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain data breach records
CMA_0351 - Maintain data breach records
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Protect incident response plan
CMA_0405 - Protect incident response plan
Manual, Disabled
1.1.0
Provide information spillage training
CMA_0413 - Provide information spillage training
Manual, Disabled
1.1.0
Run simulation attacks
CMA_0486 - Run simulation attacks
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : 1510.11a2Organizational.47-11.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Conduct incident response testing
CMA_0060 - Conduct incident response testing
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain data breach records
CMA_0351 - Maintain data breach records
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Protect incident response plan
CMA_0405 - Protect incident response plan
Manual, Disabled
1.1.0
Provide information spillage training
CMA_0413 - Provide information spillage training
Manual, Disabled
1.1.0
Run simulation attacks
CMA_0486 - Run simulation attacks
Manual, Disabled
1.1.0
ID : 1511.11a2Organizational.5-11.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Incorporate simulated events into incident response training
CMA_C1356 - Incorporate simulated events into incident response training
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Provide information spillage training
CMA_0413 - Provide information spillage training
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : 1512.11a2Organizational.8-11.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Alert personnel of information spillage
CMA_0007 - Alert personnel of information spillage
Manual, Disabled
1.1.0
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Document wireless access security controls
CMA_C1695 - Document wireless access security controls
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Set automated notifications for new and trending cloud applications in your organization
CMA_0495 - Set automated notifications for new and trending cloud applications in your organization
Manual, Disabled
1.1.0
Turn on sensors for endpoint security solution
CMA_0514 - Turn on sensors for endpoint security solution
Manual, Disabled
1.1.0
ID : 1515.11a3Organizational.3-11.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop an incident response plan
CMA_0145 - Develop an incident response plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Identify classes of Incidents and Actions taken
CMA_C1365 - Identify classes of Incidents and Actions taken
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : 1516.11c1Organizational.12-11.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Conduct incident response testing
CMA_0060 - Conduct incident response testing
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Maintain data breach records
CMA_0351 - Maintain data breach records
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Protect incident response plan
CMA_0405 - Protect incident response plan
Manual, Disabled
1.1.0
Provide information spillage training
CMA_0413 - Provide information spillage training
Manual, Disabled
1.1.0
Run simulation attacks
CMA_0486 - Run simulation attacks
Manual, Disabled
1.1.0
ID : 1517.11c1Organizational.3-11.c
Ownership : Shared
Expand table
ID : 1518.11c2Organizational.13-11.c
Ownership : Shared
Expand table
ID : 1519.11c2Organizational.2-11.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Document security operations
CMA_0202 - Document security operations
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate Audit record analysis
CMA_C1120 - Integrate Audit record analysis
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Provide capability to process customer-controlled audit records
CMA_C1126 - Provide capability to process customer-controlled audit records
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
ID : 1520.11c2Organizational.4-11.c
Ownership : Shared
Expand table
ID : 1521.11c2Organizational.56-11.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess information security events
CMA_0013 - Assess information security events
Manual, Disabled
1.1.0
Conduct incident response testing
CMA_0060 - Conduct incident response testing
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Identify classes of Incidents and Actions taken
CMA_C1365 - Identify classes of Incidents and Actions taken
Manual, Disabled
1.1.0
Implement incident handling
CMA_0318 - Implement incident handling
Manual, Disabled
1.1.0
Implement Incident handling capability
CMA_C1367 - Implement Incident handling capability
Manual, Disabled
1.1.0
Incorporate simulated events into incident response training
CMA_C1356 - Incorporate simulated events into incident response training
Manual, Disabled
1.1.0
Maintain incident response plan
CMA_0352 - Maintain incident response plan
Manual, Disabled
1.1.0
Provide information spillage training
CMA_0413 - Provide information spillage training
Manual, Disabled
1.1.0
Run simulation attacks
CMA_0486 - Run simulation attacks
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : 1522.11c3Organizational.13-11.c
Ownership : Shared
Expand table
ID : 1523.11c3Organizational.24-11.c
Ownership : Shared
Expand table
ID : 1524.11a1Organizational.5-11.a
Ownership : Shared
Expand table
ID : 1525.11a1Organizational.6-11.a
Ownership : Shared
Expand table
ID : 1560.11d1Organizational.1-11.d
Ownership : Shared
Expand table
ID : 1561.11d2Organizational.14-11.d
Ownership : Shared
Expand table
ID : 1562.11d2Organizational.2-11.d
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Address information security issues
CMA_C1742 - Address information security issues
Manual, Disabled
1.1.0
Conduct incident response testing
CMA_0060 - Conduct incident response testing
Manual, Disabled
1.1.0
Coordinate contingency plans with related plans
CMA_0086 - Coordinate contingency plans with related plans
Manual, Disabled
1.1.0
Develop contingency plan
CMA_C1244 - Develop contingency plan
Manual, Disabled
1.1.0
Develop security safeguards
CMA_0161 - Develop security safeguards
Manual, Disabled
1.1.0
Enable network protection
CMA_0238 - Enable network protection
Manual, Disabled
1.1.0
Eradicate contaminated information
CMA_0253 - Eradicate contaminated information
Manual, Disabled
1.1.0
Establish an information security program
CMA_0263 - Establish an information security program
Manual, Disabled
1.1.0
Execute actions in response to information spills
CMA_0281 - Execute actions in response to information spills
Manual, Disabled
1.1.0
Identify classes of Incidents and Actions taken
CMA_C1365 - Identify classes of Incidents and Actions taken
Manual, Disabled
1.1.0
Run simulation attacks
CMA_0486 - Run simulation attacks
Manual, Disabled
1.1.0
View and investigate restricted users
CMA_0545 - View and investigate restricted users
Manual, Disabled
1.1.0
ID : 1563.11d2Organizational.3-11.d
Ownership : Shared
Expand table
ID : 1577.11aCSPOrganizational.1-11.a
Ownership : Shared
Expand table
ID : 1587.11c2Organizational.10-11.c
Ownership : Shared
Expand table
ID : 1589.11c1Organizational.5-11.c
Ownership : Shared
Expand table
16 Business Continuity & Disaster Recovery
ID : 1601.12c1Organizational.1238-12.c
Ownership : Shared
Expand table
ID : 1602.12c1Organizational.4567-12.c
Ownership : Shared
Expand table
ID : 1603.12c1Organizational.9-12.c
Ownership : Shared
Expand table
ID : 1604.12c2Organizational.16789-12.c
Ownership : Shared
Expand table
ID : 1607.12c2Organizational.4-12.c
Ownership : Shared
Expand table
ID : 1608.12c2Organizational.5-12.c
Ownership : Shared
Expand table
ID : 1609.12c3Organizational.12-12.c
Ownership : Shared
Expand table
ID : 1616.09l1Organizational.16-09.l
Ownership : Shared
Expand table
ID : 1617.09l1Organizational.23-09.l
Ownership : Shared
Expand table
ID : 1618.09l1Organizational.45-09.l
Ownership : Shared
Expand table
ID : 1619.09l1Organizational.7-09.l
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Establish requirements for internet service providers
CMA_0278 - Establish requirements for internet service providers
Manual, Disabled
1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB
Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.
Audit, Disabled
1.0.1
ID : 1620.09l1Organizational.8-09.l
Ownership : Shared
Expand table
ID : 1621.09l2Organizational.1-09.l
Ownership : Shared
Expand table
ID : 1622.09l2Organizational.23-09.l
Ownership : Shared
Expand table
ID : 1623.09l2Organizational.4-09.l
Ownership : Shared
Expand table
ID : 1624.09l3Organizational.12-09.l
Ownership : Shared
Expand table
ID : 1625.09l3Organizational.34-09.l
Ownership : Shared
Expand table
ID : 1626.09l3Organizational.5-09.l
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Conduct backup of information system documentation
CMA_C1289 - Conduct backup of information system documentation
Manual, Disabled
1.1.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL
Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.
Audit, Disabled
1.0.1
ID : 1627.09l3Organizational.6-09.l
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Geo-redundant backup should be enabled for Azure Database for MariaDB
Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.
Audit, Disabled
1.0.1
Separately store backup information
CMA_C1293 - Separately store backup information
Manual, Disabled
1.1.0
ID : 1634.12b1Organizational.1-12.b
Ownership : Shared
Expand table
ID : 1635.12b1Organizational.2-12.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Azure Key Vault Managed HSM should have purge protection enabled
Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.
Audit, Deny, Disabled
1.0.0
Develop contingency plan
CMA_C1244 - Develop contingency plan
Manual, Disabled
1.1.0
Key vaults should have deletion protection enabled
Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default.
Audit, Deny, Disabled
2.1.0
Perform a business impact assessment and application criticality assessment
CMA_0386 - Perform a business impact assessment and application criticality assessment
Manual, Disabled
1.1.0
Perform a risk assessment
CMA_0388 - Perform a risk assessment
Manual, Disabled
1.1.0
Plan for resumption of essential business functions
CMA_C1253 - Plan for resumption of essential business functions
Manual, Disabled
1.1.0
ID : 1636.12b2Organizational.1-12.b
Ownership : Shared
Expand table
ID : 1637.12b2Organizational.2-12.b
Ownership : Shared
Expand table
ID : 1638.12b2Organizational.345-12.b
Ownership : Shared
Expand table
ID : 1666.12d1Organizational.1235-12.d
Ownership : Shared
Expand table
ID : 1667.12d1Organizational.4-12.d
Ownership : Shared
Expand table
ID : 1668.12d1Organizational.67-12.d
Ownership : Shared
Expand table
ID : 1669.12d1Organizational.8-12.d
Ownership : Shared
Expand table
ID : 1670.12d2Organizational.1-12.d
Ownership : Shared
Expand table
ID : 1671.12d2Organizational.2-12.d
Ownership : Shared
Expand table
ID : 1672.12d2Organizational.3-12.d
Ownership : Shared
Expand table
1704.03b1Organizational.12-03.b 03.01 Risk Management Program
ID : 1704.03b1Organizational.12-03.b
Ownership : Shared
Expand table
1705.03b2Organizational.12-03.b 03.01 Risk Management Program
ID : 1705.03b2Organizational.12-03.b
Ownership : Shared
Expand table
1707.03c1Organizational.12-03.c 03.01 Risk Management Program
ID : 1707.03c1Organizational.12-03.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Develop POA&M
CMA_C1156 - Develop POA&M
Manual, Disabled
1.1.0
1708.03c2Organizational.12-03.c 03.01 Risk Management Program
ID : 1708.03c2Organizational.12-03.c
Ownership : Shared
Expand table
ID : 17100.10a3Organizational.5
Ownership : Shared
Expand table
ID : 17101.10a3Organizational.6-10.a
Ownership : Shared
Expand table
ID : 17120.10a3Organizational.5-10.a
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Assess risk in third party relationships
CMA_0014 - Assess risk in third party relationships
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Obtain approvals for acquisitions and outsourcing
CMA_C1590 - Obtain approvals for acquisitions and outsourcing
Manual, Disabled
1.1.0
17126.03c1System.6-03.c 03.01 Risk Management Program
ID : 17126.03c1System.6-03.c
Ownership : Shared
Expand table
1713.03c1Organizational.3-03.c 03.01 Risk Management Program
ID : 1713.03c1Organizational.3-03.c
Ownership : Shared
Expand table
1733.03d1Organizational.1-03.d 03.01 Risk Management Program
ID : 1733.03d1Organizational.1-03.d
Ownership : Shared
Expand table
1734.03d2Organizational.1-03.d 03.01 Risk Management Program
ID : 1734.03d2Organizational.1-03.d
Ownership : Shared
Expand table
1735.03d2Organizational.23-03.d 03.01 Risk Management Program
ID : 1735.03d2Organizational.23-03.d
Ownership : Shared
Expand table
1736.03d2Organizational.4-03.d 03.01 Risk Management Program
ID : 1736.03d2Organizational.4-03.d
Ownership : Shared
Expand table
1737.03d2Organizational.5-03.d 03.01 Risk Management Program
ID : 1737.03d2Organizational.5-03.d
Ownership : Shared
Expand table
ID : 1780.10a1Organizational.1-10.a
Ownership : Shared
Expand table
ID : 1781.10a1Organizational.23-10.a
Ownership : Shared
Expand table
ID : 1782.10a1Organizational.4-10.a
Ownership : Shared
Expand table
ID : 1783.10a1Organizational.56-10.a
Ownership : Shared
Expand table
ID : 1784.10a1Organizational.7-10.a
Ownership : Shared
Expand table
ID : 1785.10a1Organizational.8-10.a
Ownership : Shared
Expand table
ID : 1786.10a1Organizational.9-10.a
Ownership : Shared
Expand table
ID : 1787.10a2Organizational.1-10.a
Ownership : Shared
Expand table
ID : 1788.10a2Organizational.2-10.a
Ownership : Shared
Expand table
ID : 1789.10a2Organizational.3-10.a
Ownership : Shared
Expand table
ID : 1790.10a2Organizational.45-10.a
Ownership : Shared
Expand table
ID : 1791.10a2Organizational.6-10.a
Ownership : Shared
Expand table
ID : 1792.10a2Organizational.7814-10.a
Ownership : Shared
Expand table
ID : 1793.10a2Organizational.91011-10.a
Ownership : Shared
Expand table
ID : 1794.10a2Organizational.12-10.a
Ownership : Shared
Expand table
ID : 1795.10a2Organizational.13-10.a
Ownership : Shared
Expand table
ID : 1796.10a2Organizational.15-10.a
Ownership : Shared
Expand table
ID : 1797.10a3Organizational.1-10.a
Ownership : Shared
Expand table
ID : 1798.10a3Organizational.2-10.a
Ownership : Shared
Expand table
ID : 1799.10a3Organizational.34-10.a
Ownership : Shared
Expand table
18 Physical & Environmental Security
1801.08b1Organizational.124-08.b 08.01 Secure Areas
ID : 1801.08b1Organizational.124-08.b
Ownership : Shared
Expand table
1802.08b1Organizational.3-08.b 08.01 Secure Areas
ID : 1802.08b1Organizational.3-08.b
Ownership : Shared
Expand table
1803.08b1Organizational.5-08.b 08.01 Secure Areas
ID : 1803.08b1Organizational.5-08.b
Ownership : Shared
Expand table
1804.08b2Organizational.12-08.b 08.01 Secure Areas
ID : 1804.08b2Organizational.12-08.b
Ownership : Shared
Expand table
1805.08b2Organizational.3-08.b 08.01 Secure Areas
ID : 1805.08b2Organizational.3-08.b
Ownership : Shared
Expand table
1806.08b2Organizational.4-08.b 08.01 Secure Areas
ID : 1806.08b2Organizational.4-08.b
Ownership : Shared
Expand table
1807.08b2Organizational.56-08.b 08.01 Secure Areas
ID : 1807.08b2Organizational.56-08.b
Ownership : Shared
Expand table
1808.08b2Organizational.7-08.b 08.01 Secure Areas
ID : 1808.08b2Organizational.7-08.b
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review user accounts
CMA_0480 - Review user accounts
Manual, Disabled
1.1.0
Separate duties of individuals
CMA_0492 - Separate duties of individuals
Manual, Disabled
1.1.0
1810.08b3Organizational.2-08.b 08.01 Secure Areas
ID : 1810.08b3Organizational.2-08.b
Ownership : Shared
Expand table
18108.08j1Organizational.1-08.j 08.02 Equipment Security
ID : 18108.08j1Organizational.1-08.j
Ownership : Shared
Expand table
18109.08j1Organizational.4-08.j 08.02 Equipment Security
ID : 18109.08j1Organizational.4-08.j
Ownership : Shared
Expand table
1811.08b3Organizational.3-08.b 08.01 Secure Areas
ID : 1811.08b3Organizational.3-08.b
Ownership : Shared
Expand table
18110.08j1Organizational.5-08.j 08.02 Equipment Security
ID : 18110.08j1Organizational.5-08.j
Ownership : Shared
Expand table
18111.08j1Organizational.6-08.j 08.02 Equipment Security
ID : 18111.08j1Organizational.6-08.j
Ownership : Shared
Expand table
18112.08j3Organizational.4-08.j 08.02 Equipment Security
ID : 18112.08j3Organizational.4-08.j
Ownership : Shared
Expand table
1812.08b3Organizational.46-08.b 08.01 Secure Areas
ID : 1812.08b3Organizational.46-08.b
Ownership : Shared
Expand table
18127.08l1Organizational.3-08.l 08.02 Equipment Security
ID : 18127.08l1Organizational.3-08.l
Ownership : Shared
Expand table
1813.08b3Organizational.56-08.b 08.01 Secure Areas
ID : 1813.08b3Organizational.56-08.b
Ownership : Shared
Expand table
ID : 18130.09p1Organizational.24-09.p
Ownership : Shared
Expand table
1814.08d1Organizational.12-08.d 08.01 Secure Areas
ID : 1814.08d1Organizational.12-08.d
Ownership : Shared
Expand table
18145.08b3Organizational.7-08.b 08.01 Secure Areas
ID : 18145.08b3Organizational.7-08.b
Ownership : Shared
Expand table
18146.08b3Organizational.8-08.b 08.01 Secure Areas
ID : 18146.08b3Organizational.8-08.b
Ownership : Shared
Expand table
1815.08d2Organizational.123-08.d 08.01 Secure Areas
ID : 1815.08d2Organizational.123-08.d
Ownership : Shared
Expand table
1816.08d2Organizational.4-08.d 08.01 Secure Areas
ID : 1816.08d2Organizational.4-08.d
Ownership : Shared
Expand table
1817.08d3Organizational.12-08.d 08.01 Secure Areas
ID : 1817.08d3Organizational.12-08.d
Ownership : Shared
Expand table
1818.08d3Organizational.3-08.d 08.01 Secure Areas
ID : 1818.08d3Organizational.3-08.d
Ownership : Shared
Expand table
1819.08j1Organizational.23-08.j 08.02 Equipment Security
ID : 1819.08j1Organizational.23-08.j
Ownership : Shared
Expand table
1820.08j2Organizational.1-08.j 08.02 Equipment Security
ID : 1820.08j2Organizational.1-08.j
Ownership : Shared
Expand table
1821.08j2Organizational.3-08.j 08.02 Equipment Security
ID : 1821.08j2Organizational.3-08.j
Ownership : Shared
Expand table
1822.08j2Organizational.2-08.j 08.02 Equipment Security
ID : 1822.08j2Organizational.2-08.j
Ownership : Shared
Expand table
1823.08j3Organizational.12-08.j 08.02 Equipment Security
ID : 1823.08j3Organizational.12-08.j
Ownership : Shared
Expand table
1824.08j3Organizational.3-08.j 08.02 Equipment Security
ID : 1824.08j3Organizational.3-08.j
Ownership : Shared
Expand table
ID : 1826.09p1Organizational.1-09.p
Ownership : Shared
Expand table
1844.08b1Organizational.6-08.b 08.01 Secure Areas
ID : 1844.08b1Organizational.6-08.b
Ownership : Shared
Expand table
1845.08b1Organizational.7-08.b 08.01 Secure Areas
ID : 1845.08b1Organizational.7-08.b
Ownership : Shared
Expand table
1846.08b2Organizational.8-08.b 08.01 Secure Areas
ID : 1846.08b2Organizational.8-08.b
Ownership : Shared
Expand table
1847.08b2Organizational.910-08.b 08.01 Secure Areas
ID : 1847.08b2Organizational.910-08.b
Ownership : Shared
Expand table
1848.08b2Organizational.11-08.b 08.01 Secure Areas
ID : 1848.08b2Organizational.11-08.b
Ownership : Shared
Expand table
1862.08d1Organizational.3-08.d 08.01 Secure Areas
ID : 1862.08d1Organizational.3-08.d
Ownership : Shared
Expand table
1862.08d3Organizational.3 08.01 Secure Areas
ID : 1862.08d3Organizational.3
Ownership : Shared
Expand table
1892.01l1Organizational.1 01.04 Network Access Control
ID : 1892.01l1Organizational.1
Ownership : Shared
Expand table
19 Data Protection & Privacy
1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements
ID : 1901.06d1Organizational.1-06.d
Ownership : Shared
Expand table
1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements
ID : 1902.06d1Organizational.2-06.d
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define the duties of processors
CMA_0127 - Define the duties of processors
Manual, Disabled
1.1.0
Document and distribute a privacy policy
CMA_0188 - Document and distribute a privacy policy
Manual, Disabled
1.1.0
Implement privacy notice delivery methods
CMA_0324 - Implement privacy notice delivery methods
Manual, Disabled
1.1.0
Keep accurate accounting of disclosures of information
CMA_C1818 - Keep accurate accounting of disclosures of information
Manual, Disabled
1.1.0
Make accounting of disclosures available upon request
CMA_C1820 - Make accounting of disclosures available upon request
Manual, Disabled
1.1.0
Obtain consent prior to collection or processing of personal data
CMA_0385 - Obtain consent prior to collection or processing of personal data
Manual, Disabled
1.1.0
Provide privacy notice
CMA_0414 - Provide privacy notice
Manual, Disabled
1.1.0
Record disclosures of PII to third parties
CMA_0422 - Record disclosures of PII to third parties
Manual, Disabled
1.1.0
Restrict communications
CMA_0449 - Restrict communications
Manual, Disabled
1.1.0
Retain accounting of disclosures of information
CMA_C1819 - Retain accounting of disclosures of information
Manual, Disabled
1.1.0
Train staff on PII sharing and its consequences
CMA_C1871 - Train staff on PII sharing and its consequences
Manual, Disabled
1.1.0
1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements
ID : 1903.06d1Organizational.3456711-06.d
Ownership : Shared
Expand table
1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements
ID : 1904.06.d2Organizational.1-06.d
Ownership : Shared
Expand table
1906.06.c1Organizational.2-06.c 06.01 Compliance with Legal Requirements
ID : 1906.06.c1Organizational.2-06.c
Ownership : Shared
Expand table
1907.06.c1Organizational.3-06.c 06.01 Compliance with Legal Requirements
ID : 1907.06.c1Organizational.3-06.c
Ownership : Shared
Expand table
1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements
ID : 1908.06.c1Organizational.4-06.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Conduct backup of information system documentation
CMA_C1289 - Conduct backup of information system documentation
Manual, Disabled
1.1.0
Establish backup policies and procedures
CMA_0268 - Establish backup policies and procedures
Manual, Disabled
1.1.0
Keep SORNs updated
CMA_C1863 - Keep SORNs updated
Manual, Disabled
1.1.0
Make SORNs available publicly
CMA_C1865 - Make SORNs available publicly
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Provide formal notice to individuals
CMA_C1864 - Provide formal notice to individuals
Manual, Disabled
1.1.0
Publish SORNs for systems containing PII
CMA_C1862 - Publish SORNs for systems containing PII
Manual, Disabled
1.1.0
Retain security policies and procedures
CMA_0454 - Retain security policies and procedures
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements
ID : 1911.06d1Organizational.13-06.d
Ownership : Shared
Expand table
19134.05j1Organizational.5-05.j 05.02 External Parties
ID : 19134.05j1Organizational.5-05.j
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Appoint a senior information security officer
CMA_C1733 - Appoint a senior information security officer
Manual, Disabled
1.1.0
Designate authorized personnel to post publicly accessible information
CMA_C1083 - Designate authorized personnel to post publicly accessible information
Manual, Disabled
1.1.0
Develop and establish a system security plan
CMA_0151 - Develop and establish a system security plan
Manual, Disabled
1.1.0
Establish a privacy program
CMA_0257 - Establish a privacy program
Manual, Disabled
1.1.0
Establish security requirements for the manufacturing of connected devices
CMA_0279 - Establish security requirements for the manufacturing of connected devices
Manual, Disabled
1.1.0
Implement security engineering principles of information systems
CMA_0325 - Implement security engineering principles of information systems
Manual, Disabled
1.1.0
Information security and personal data protection
CMA_0332 - Information security and personal data protection
Manual, Disabled
1.1.0
Manage compliance activities
CMA_0358 - Manage compliance activities
Manual, Disabled
1.1.0
Review content prior to posting publicly accessible information
CMA_C1085 - Review content prior to posting publicly accessible information
Manual, Disabled
1.1.0
Review publicly accessible content for nonpublic information
CMA_C1086 - Review publicly accessible content for nonpublic information
Manual, Disabled
1.1.0
Train personnel on disclosure of nonpublic information
CMA_C1084 - Train personnel on disclosure of nonpublic information
Manual, Disabled
1.1.0
Update privacy plan, policies, and procedures
CMA_C1807 - Update privacy plan, policies, and procedures
Manual, Disabled
1.1.0
19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements
ID : 19141.06c1Organizational.7-06.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Conduct backup of information system documentation
CMA_C1289 - Conduct backup of information system documentation
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Establish backup policies and procedures
CMA_0268 - Establish backup policies and procedures
Manual, Disabled
1.1.0
Implement transaction based recovery
CMA_C1296 - Implement transaction based recovery
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements
ID : 19142.06c1Organizational.8-06.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Control use of portable storage devices
CMA_0083 - Control use of portable storage devices
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Perform disposition review
CMA_0391 - Perform disposition review
Manual, Disabled
1.1.0
Restrict media use
CMA_0450 - Restrict media use
Manual, Disabled
1.1.0
Retain security policies and procedures
CMA_0454 - Retain security policies and procedures
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
Verify personal data is deleted at the end of processing
CMA_0540 - Verify personal data is deleted at the end of processing
Manual, Disabled
1.1.0
19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements
ID : 19143.06c1Organizational.9-06.c
Ownership : Shared
Expand table
19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements
ID : 19144.06c2Organizational.1-06.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Perform disposition review
CMA_0391 - Perform disposition review
Manual, Disabled
1.1.0
Retain security policies and procedures
CMA_0454 - Retain security policies and procedures
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
Verify personal data is deleted at the end of processing
CMA_0540 - Verify personal data is deleted at the end of processing
Manual, Disabled
1.1.0
19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements
ID : 19145.06c2Organizational.2-06.c
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Conduct backup of information system documentation
CMA_C1289 - Conduct backup of information system documentation
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Perform disposition review
CMA_0391 - Perform disposition review
Manual, Disabled
1.1.0
Retain security policies and procedures
CMA_0454 - Retain security policies and procedures
Manual, Disabled
1.1.0
Retain terminated user data
CMA_0455 - Retain terminated user data
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
Verify personal data is deleted at the end of processing
CMA_0540 - Verify personal data is deleted at the end of processing
Manual, Disabled
1.1.0
19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements
ID : 19242.06d1Organizational.14-06.d
Ownership : Shared
Expand table
19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements
ID : 19243.06d1Organizational.15-06.d
Ownership : Shared
Expand table
19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements
ID : 19245.06d2Organizational.2-06.d
Ownership : Shared
Expand table
Additional articles about Azure Policy: