Azure Government compliance

Microsoft Azure Government meets demanding US government compliance requirements that mandate formal assessments and authorizations, including:

Azure Government maintains the following authorizations that pertain to Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia:

  • FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
  • DoD IL2 Provisional Authorization (PA) issued by the Defense Information Systems Agency (DISA)
  • DoD IL4 PA issued by DISA
  • DoD IL5 PA issued by DISA

For links to extra Azure Government compliance assurances, see Azure compliance. For example, Azure Government can help you meet your compliance obligations with many US government requirements, including:

For current Azure Government regions and available services, see Products available by region.

Note

Services in audit scope

For a detailed list of Azure, Dynamics 365, Microsoft 365, and Power Platform services in FedRAMP and DoD compliance audit scope, see:

Audit documentation

You can access Azure and Azure Government audit reports and related documentation from the Service Trust Portal (STP) in the following sections:

  • STP Audit Reports, which has a subsection for FedRAMP Reports.
  • STP Data Protection Resources, which is further divided into Compliance Guides, FAQ and White Papers, and Pen Test and Security Assessments subsections.

You must sign in to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.

Alternatively, you can access certain audit reports and certificates in the Azure or Azure Government portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using direct links based on your subscription (sign in required):

You must have an existing subscription or free trial account in Azure or Azure Government to download audit documents.

Azure Policy regulatory compliance built-in initiatives

For extra customer assistance, Microsoft provides Azure Policy regulatory compliance built-in initiatives, which map to compliance domains and controls in key US government standards, including:

For more regulatory compliance built-in initiatives that pertain to Azure Government, see Azure Policy samples.

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Next steps