Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative

Article
04/17/2024

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the HIPAA HITRUST 9.2 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the HITRUST/HIPAA Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Privilege Management

ID: 1149.01c2System.9 - 01.c Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services	To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.	Audit, Disabled	1.0.3

Contractors are provided with minimal system and physical access only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply.

ID: 1154.01c3System.4 - 01.c Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0

User Authentication for External Connections

Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use.

ID: 1117.01j1Organizational.23 - 01.j Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0

If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization.

ID: 1173.01j1Organizational.6 - 01.j Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0

The organization protects wireless access to systems containing sensitive information by authenticating both users and devices.

ID: 1174.01j1Organizational.7 - 01.j Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0

The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations.

ID: 1176.01j2Organizational.5 - 01.j Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0

User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually.

ID: 1177.01j2Organizational.6 - 01.j Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0

User Identification and Authentication

Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated.

ID: 11110.01q1Organizational.6 - 01.q Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0

The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else.

ID: 11208.01q1Organizational.8 - 01.q Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
There should be more than one owner assigned to your subscription	It is recommended to designate more than one subscription owner in order to have administrator access redundancy.	AuditIfNotExists, Disabled	3.0.0

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.

ID: 11210.01q2Organizational.10 - 01.q Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit Windows machines that have the specified members in the Administrators group	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.	auditIfNotExists	2.0.0

Signed electronic records shall contain information associated with the signing in human-readable format.

ID: 11211.01q2Organizational.11 - 01.q Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit Windows machines missing any of specified members in the Administrators group	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.	auditIfNotExists	2.0.0

01 Information Protection Program

0101.00a1Organizational.123-00.a 0.01 Information Security Management Program

ID: 0101.00a1Organizational.123-00.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop a concept of operations (CONOPS)	CMA_0141 - Develop a concept of operations (CONOPS)	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Protect the information security program plan	CMA_C1732 - Protect the information security program plan	Manual, Disabled	1.1.0
Review and update the information security architecture	CMA_C1504 - Review and update the information security architecture	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

0102.00a2Organizational.123-00.a 0.01 Information Security Management Program

ID: 0102.00a2Organizational.123-00.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Review and update the information security architecture	CMA_C1504 - Review and update the information security architecture	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program

ID: 0103.00a3Organizational.1234567-00.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

0104.02a1Organizational.12-02.a 02.01 Prior to Employment

ID: 0104.02a1Organizational.12-02.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide role-based security training	CMA_C1094 - Provide role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

0105.02a2Organizational.1-02.a 02.01 Prior to Employment

ID: 0105.02a2Organizational.1-02.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assign risk designations	CMA_0016 - Assign risk designations	Manual, Disabled	1.1.0
Clear personnel with access to classified information	CMA_0054 - Clear personnel with access to classified information	Manual, Disabled	1.1.0
Implement personnel screening	CMA_0322 - Implement personnel screening	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0
Rescreen individuals at a defined frequency	CMA_C1512 - Rescreen individuals at a defined frequency	Manual, Disabled	1.1.0

0106.02a2Organizational.23-02.a 02.01 Prior to Employment

ID: 0106.02a2Organizational.23-02.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Clear personnel with access to classified information	CMA_0054 - Clear personnel with access to classified information	Manual, Disabled	1.1.0
Implement personnel screening	CMA_0322 - Implement personnel screening	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0
Rescreen individuals at a defined frequency	CMA_C1512 - Rescreen individuals at a defined frequency	Manual, Disabled	1.1.0

0107.02d1Organizational.1-02.d 02.03 During Employment

ID: 0107.02d1Organizational.1-02.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish information security workforce development and improvement program	CMA_C1752 - Establish information security workforce development and improvement program	Manual, Disabled	1.1.0

0108.02d1Organizational.23-02.d 02.03 During Employment

ID: 0108.02d1Organizational.23-02.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Implement security testing, training, and monitoring plans	CMA_C1753 - Implement security testing, training, and monitoring plans	Manual, Disabled	1.1.0
Monitor security and privacy training completion	CMA_0379 - Monitor security and privacy training completion	Manual, Disabled	1.1.0
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Require developers to provide training	CMA_C1611 - Require developers to provide training	Manual, Disabled	1.1.0
Retain training records	CMA_0456 - Retain training records	Manual, Disabled	1.1.0
Review security testing, training, and monitoring plans	CMA_C1754 - Review security testing, training, and monitoring plans	Manual, Disabled	1.1.0

0109.02d1Organizational.4-02.d 02.03 During Employment

ID: 0109.02d1Organizational.4-02.d Ownership: Shared

0110.02d2Organizational.1-02.d 02.03 During Employment

ID: 0110.02d2Organizational.1-02.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Establish information security workforce development and improvement program	CMA_C1752 - Establish information security workforce development and improvement program	Manual, Disabled	1.1.0

0111.02d2Organizational.2-02.d 02.03 During Employment

ID: 0111.02d2Organizational.2-02.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide security awareness training for insider threats	CMA_0417 - Provide security awareness training for insider threats	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0
Require notification of third-party personnel transfer or termination	CMA_C1532 - Require notification of third-party personnel transfer or termination	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

01110.05a1Organizational.5-05.a 05.01 Internal Organization

ID: 01110.05a1Organizational.5-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

01111.05a2Organizational.5-05.a 05.01 Internal Organization

ID: 01111.05a2Organizational.5-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0

0112.02d2Organizational.3-02.d 02.03 During Employment

ID: 0112.02d2Organizational.3-02.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Enforce appropriate usage of all accounts	CMA_C1023 - Enforce appropriate usage of all accounts	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Establish usage restrictions for mobile code technologies	CMA_C1652 - Establish usage restrictions for mobile code technologies	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Require compliance with intellectual property rights	CMA_0432 - Require compliance with intellectual property rights	Manual, Disabled	1.1.0
Track software license usage	CMA_C1235 - Track software license usage	Manual, Disabled	1.1.0

0113.04a1Organizational.123-04.a 04.01 Information Security Policy

ID: 0113.04a1Organizational.123-04.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Protect the information security program plan	CMA_C1732 - Protect the information security program plan	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

0114.04b1Organizational.1-04.b 04.01 Information Security Policy

ID: 0114.04b1Organizational.1-04.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

0115.04b2Organizational.123-04.b 04.01 Information Security Policy

ID: 0115.04b2Organizational.123-04.b Ownership: Shared

0116.04b3Organizational.1-04.b 04.01 Information Security Policy

ID: 0116.04b3Organizational.1-04.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0

0117.05a1Organizational.1-05.a 05.01 Internal Organization

ID: 0117.05a1Organizational.1-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0

0118.05a1Organizational.2-05.a 05.01 Internal Organization

ID: 0118.05a1Organizational.2-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Establish information security workforce development and improvement program	CMA_C1752 - Establish information security workforce development and improvement program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

0119.05a1Organizational.3-05.a 05.01 Internal Organization

ID: 0119.05a1Organizational.3-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

0120.05a1Organizational.4-05.a 05.01 Internal Organization

ID: 0120.05a1Organizational.4-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Align business objectives and IT goals	CMA_0008 - Align business objectives and IT goals	Manual, Disabled	1.1.0
Allocate resources in determining information system requirements	CMA_C1561 - Allocate resources in determining information system requirements	Manual, Disabled	1.1.0
Employ business case to record the resources required	CMA_C1735 - Employ business case to record the resources required	Manual, Disabled	1.1.0
Ensure capital planning and investment requests include necessary resources	CMA_C1734 - Ensure capital planning and investment requests include necessary resources	Manual, Disabled	1.1.0
Establish a discrete line item in budgeting documentation	CMA_C1563 - Establish a discrete line item in budgeting documentation	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Govern the allocation of resources	CMA_0293 - Govern the allocation of resources	Manual, Disabled	1.1.0
Secure commitment from leadership	CMA_0489 - Secure commitment from leadership	Manual, Disabled	1.1.0

0121.05a2Organizational.12-05.a 05.01 Internal Organization

ID: 0121.05a2Organizational.12-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Review and update risk assessment policies and procedures	CMA_C1537 - Review and update risk assessment policies and procedures	Manual, Disabled	1.1.0

0122.05a2Organizational.3-05.a 05.01 Internal Organization

ID: 0122.05a2Organizational.3-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide role-based security training	CMA_C1094 - Provide role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0

0123.05a2Organizational.4-05.a 05.01 Internal Organization

ID: 0123.05a2Organizational.4-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Manage contacts for authorities and special interest groups	CMA_0359 - Manage contacts for authorities and special interest groups	Manual, Disabled	1.1.0

0124.05a3Organizational.1-05.a 05.01 Internal Organization

ID: 0124.05a3Organizational.1-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0

0125.05a3Organizational.2-05.a 05.01 Internal Organization

ID: 0125.05a3Organizational.2-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accept assessment results	CMA_C1150 - Accept assessment results	Manual, Disabled	1.1.0
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Employ independent assessors to conduct security control assessments	CMA_C1148 - Employ independent assessors to conduct security control assessments	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

0135.02f1Organizational.56-02.f 02.03 During Employment

ID: 0135.02f1Organizational.56-02.f Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish information security workforce development and improvement program	CMA_C1752 - Establish information security workforce development and improvement program	Manual, Disabled	1.1.0
Implement formal sanctions process	CMA_0317 - Implement formal sanctions process	Manual, Disabled	1.1.0
Notify personnel upon sanctions	CMA_0380 - Notify personnel upon sanctions	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

0137.02a1Organizational.3-02.a 02.01 Prior to Employment

ID: 0137.02a1Organizational.3-02.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update personnel security policies and procedures	CMA_C1507 - Review and update personnel security policies and procedures	Manual, Disabled	1.1.0

0162.04b1Organizational.2-04.b 04.01 Information Security Policy

ID: 0162.04b1Organizational.2-04.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0

0165.05a3Organizational.3-05.a 05.01 Internal Organization

ID: 0165.05a3Organizational.3-05.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update planning policies and procedures	CMA_C1491 - Review and update planning policies and procedures	Manual, Disabled	1.1.0

0177.05h1Organizational.12-05.h 05.01 Internal Organization

ID: 0177.05h1Organizational.12-05.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accept assessment results	CMA_C1150 - Accept assessment results	Manual, Disabled	1.1.0
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Employ independent assessors to conduct security control assessments	CMA_C1148 - Employ independent assessors to conduct security control assessments	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0

0178.05h1Organizational.3-05.h 05.01 Internal Organization

ID: 0178.05h1Organizational.3-05.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0

0179.05h1Organizational.4-05.h 05.01 Internal Organization

ID: 0179.05h1Organizational.4-05.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement plans of action and milestones for security program process	CMA_C1737 - Implement plans of action and milestones for security program process	Manual, Disabled	1.1.0

0180.05h2Organizational.1-05.h 05.01 Internal Organization

ID: 0180.05h2Organizational.1-05.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0

02 Endpoint Protection

0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0201.09j1Organizational.124-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines	Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.	AuditIfNotExists, Disabled	3.0.0
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Deploy default Microsoft IaaSAntimalware extension for Windows Server	This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.	deployIfNotExists	1.1.0
Detect network services that have not been authorized or approved	CMA_C1700 - Detect network services that have not been authorized or approved	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Endpoint protection solution should be installed on virtual machine scale sets	Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.	AuditIfNotExists, Disabled	3.0.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Microsoft Antimalware for Azure should be configured to automatically update protection signatures	This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures.	AuditIfNotExists, Disabled	1.0.0
Monitor missing Endpoint Protection in Azure Security Center	Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Observe and report security weaknesses	CMA_0384 - Observe and report security weaknesses	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform threat modeling	CMA_0392 - Perform threat modeling	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
System updates should be installed on your machines	Missing security system updates on your servers will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	4.0.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0202.09j1Organizational.3-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0202.09j1Organizational.3-09.j Ownership: Shared

0204.09j2Organizational.1-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0204.09j2Organizational.1-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Create alternative actions for identified anomalies	CMA_C1711 - Create alternative actions for identified anomalies	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Notify personnel of any failed security verification tests	CMA_C1710 - Notify personnel of any failed security verification tests	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform security function verification at a defined frequency	CMA_C1709 - Perform security function verification at a defined frequency	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0
Verify security functions	CMA_C1708 - Verify security functions	Manual, Disabled	1.1.0

0205.09j2Organizational.2-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0205.09j2Organizational.2-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Alert personnel of information spillage	CMA_0007 - Alert personnel of information spillage	Manual, Disabled	1.1.0
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0206.09j2Organizational.34-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0206.09j2Organizational.34-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0207.09j2Organizational.56-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0207.09j2Organizational.56-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0208.09j2Organizational.7-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Employ boundary protection to isolate information systems	CMA_C1639 - Employ boundary protection to isolate information systems	Manual, Disabled	1.1.0
Separate user and information system management functionality	CMA_0493 - Separate user and information system management functionality	Manual, Disabled	1.1.0
Use dedicated machines for administrative tasks	CMA_0527 - Use dedicated machines for administrative tasks	Manual, Disabled	1.1.0

0209.09m3Organizational.7-09.m 09.06 Network Security Management

ID: 0209.09m3Organizational.7-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate information sharing decisions	CMA_0028 - Automate information sharing decisions	Manual, Disabled	1.1.0
Employ automatic shutdown/restart when violations are detected	CMA_C1715 - Employ automatic shutdown/restart when violations are detected	Manual, Disabled	1.1.0
Facilitate information sharing	CMA_0284 - Facilitate information sharing	Manual, Disabled	1.1.0
Record disclosures of PII to third parties	CMA_0422 - Record disclosures of PII to third parties	Manual, Disabled	1.1.0
Train staff on PII sharing and its consequences	CMA_C1871 - Train staff on PII sharing and its consequences	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0

0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0214.09j1Organizational.6-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0215.09j2Organizational.8-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0215.09j2Organizational.8-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0216.09j2Organizational.9-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0216.09j2Organizational.9-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0217.09j2Organizational.10-09.j Ownership: Shared

0219.09j2Organizational.12-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 0219.09j2Organizational.12-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0225.09k1Organizational.1-09.k 09.04 Protection Against Malicious and Mobile Code

ID: 0225.09k1Organizational.1-09.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control usage of mobile code technologies	CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies	Manual, Disabled	1.1.0
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Define acceptable and unacceptable mobile code technologies	CMA_C1651 - Define acceptable and unacceptable mobile code technologies	Manual, Disabled	1.1.0
Establish usage restrictions for mobile code technologies	CMA_C1652 - Establish usage restrictions for mobile code technologies	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0226.09k1Organizational.2-09.k 09.04 Protection Against Malicious and Mobile Code

ID: 0226.09k1Organizational.2-09.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control usage of mobile code technologies	CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies	Manual, Disabled	1.1.0
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Define acceptable and unacceptable mobile code technologies	CMA_C1651 - Define acceptable and unacceptable mobile code technologies	Manual, Disabled	1.1.0
Establish usage restrictions for mobile code technologies	CMA_C1652 - Establish usage restrictions for mobile code technologies	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code

ID: 0227.09k2Organizational.12-09.k Ownership: Shared

0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code

ID: 0228.09k2Organizational.3-09.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Govern compliance of cloud service providers	CMA_0290 - Govern compliance of cloud service providers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

03 Portable Media Security

0301.09o1Organizational.123-09.o 09.07 Media Handling

ID: 0301.09o1Organizational.123-09.o Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Transparent Data Encryption on SQL databases should be enabled	Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements	AuditIfNotExists, Disabled	2.0.0

0302.09o2Organizational.1-09.o 09.07 Media Handling

ID: 0302.09o2Organizational.1-09.o Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources	By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison	AuditIfNotExists, Disabled	2.0.3

0303.09o2Organizational.2-09.o 09.07 Media Handling

ID: 0303.09o2Organizational.2-09.o Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0

0304.09o3Organizational.1-09.o 09.07 Media Handling

ID: 0304.09o3Organizational.1-09.o Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Require encryption on Data Lake Store accounts	This policy ensures encryption is enabled on all Data Lake Store accounts	deny	1.0.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0
SQL managed instances should use customer-managed keys to encrypt data at rest	Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.	Audit, Deny, Disabled	2.0.0
SQL servers should use customer-managed keys to encrypt data at rest	Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.	Audit, Deny, Disabled	2.0.1

0305.09q1Organizational.12-09.q 09.07 Media Handling

ID: 0305.09q1Organizational.12-09.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0

0306.09q1Organizational.3-09.q 09.07 Media Handling

ID: 0306.09q1Organizational.3-09.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate information sharing decisions	CMA_0028 - Automate information sharing decisions	Manual, Disabled	1.1.0
Ensure authorized users protect provided authenticators	CMA_C1339 - Ensure authorized users protect provided authenticators	Manual, Disabled	1.1.0
Ensure there are no unencrypted static authenticators	CMA_C1340 - Ensure there are no unencrypted static authenticators	Manual, Disabled	1.1.0
Facilitate information sharing	CMA_0284 - Facilitate information sharing	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0

0307.09q2Organizational.12-09.q 09.07 Media Handling

ID: 0307.09q2Organizational.12-09.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0

0308.09q3Organizational.1-09.q 09.07 Media Handling

ID: 0308.09q3Organizational.1-09.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0

0314.09q3Organizational.2-09.q 09.07 Media Handling

ID: 0314.09q3Organizational.2-09.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

04 Mobile Device Security

0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking

ID: 0401.01x1System.124579-01.x Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control usage of mobile code technologies	CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies	Manual, Disabled	1.1.0
Define acceptable and unacceptable mobile code technologies	CMA_C1651 - Define acceptable and unacceptable mobile code technologies	Manual, Disabled	1.1.0
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Establish usage restrictions for mobile code technologies	CMA_C1652 - Establish usage restrictions for mobile code technologies	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Prohibit remote activation of collaborative computing devices	CMA_C1648 - Prohibit remote activation of collaborative computing devices	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0

0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking

ID: 0403.01x1System.8-01.x Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Ensure security safeguards not needed when the individuals return	CMA_C1183 - Ensure security safeguards not needed when the individuals return	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Not allow for information systems to accompany with individuals	CMA_C1182 - Not allow for information systems to accompany with individuals	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0

0405.01y1Organizational.12345678-01.y 01.07 Mobile Computing and Teleworking

ID: 0405.01y1Organizational.12345678-01.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0

0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking

ID: 0407.01y2Organizational.1-01.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0

0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking

ID: 0408.01y3Organizational.12-01.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0

0409.01y3Organizational.3-01.y 01.07 Mobile Computing and Teleworking

ID: 0409.01y3Organizational.3-01.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0

0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking

ID: 0410.01x1System.12-01.xMobileComputingandCommunications Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0

0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking

ID: 0415.01y1Organizational.10-01.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0

0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking

ID: 0416.01y3Organizational.4-01.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0

0417.01y3Organizational.5-01.y 01.07 Mobile Computing and Teleworking

ID: 0417.01y3Organizational.5-01.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0

0425.01x1System.13-01.x 01.07 Mobile Computing and Teleworking

ID: 0425.01x1System.13-01.x Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0

0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking

ID: 0426.01x2System.1-01.x Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Ensure security safeguards not needed when the individuals return	CMA_C1183 - Ensure security safeguards not needed when the individuals return	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Not allow for information systems to accompany with individuals	CMA_C1182 - Not allow for information systems to accompany with individuals	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0

0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking

ID: 0427.01x2System.2-01.x Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Ensure security safeguards not needed when the individuals return	CMA_C1183 - Ensure security safeguards not needed when the individuals return	Manual, Disabled	1.1.0
Not allow for information systems to accompany with individuals	CMA_C1182 - Not allow for information systems to accompany with individuals	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0

0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking

ID: 0428.01x2System.3-01.x Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Ensure security safeguards not needed when the individuals return	CMA_C1183 - Ensure security safeguards not needed when the individuals return	Manual, Disabled	1.1.0
Not allow for information systems to accompany with individuals	CMA_C1182 - Not allow for information systems to accompany with individuals	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0

0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking

ID: 0429.01x1System.14-01.x Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Define mobile device requirements	CMA_0122 - Define mobile device requirements	Manual, Disabled	1.1.0
Ensure security safeguards not needed when the individuals return	CMA_C1183 - Ensure security safeguards not needed when the individuals return	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Not allow for information systems to accompany with individuals	CMA_C1182 - Not allow for information systems to accompany with individuals	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0

Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations.

ID: 1401.05i1Organizational.1239 - 05.i Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0

Remote access connections between the organization and external parties are encrypted.

ID: 1402.05i1Organizational.45 - 05.i Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0

Access granted to external parties is limited to the minimum necessary and granted only for the duration required.

ID: 1403.05i1Organizational.67 - 05.i Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0

ID: 1418.05i1Organizational.8 - 05.i Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1

05 Wireless Security

0504.09m2Organizational.5-09.m 09.06 Network Security Management

ID: 0504.09m2Organizational.5-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0

0505.09m2Organizational.3-09.m 09.06 Network Security Management

ID: 0505.09m2Organizational.3-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Define requirements for managing assets	CMA_0125 - Define requirements for managing assets	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0

06 Configuration Management

0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0601.06g1Organizational.124-06.g Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0602.06g1Organizational.3-06.g Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop configuration management plan	CMA_C1232 - Develop configuration management plan	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0603.06g2Organizational.1-06.g Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Govern compliance of cloud service providers	CMA_0290 - Govern compliance of cloud service providers	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0604.06g2Organizational.2-06.g Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Analyse data obtained from continuous monitoring	CMA_C1169 - Analyse data obtained from continuous monitoring	Manual, Disabled	1.1.0
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Employ independent assessors for continuous monitoring	CMA_C1168 - Employ independent assessors for continuous monitoring	Manual, Disabled	1.1.0
Employ independent assessors to conduct security control assessments	CMA_C1148 - Employ independent assessors to conduct security control assessments	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

0605.10h1System.12-10.h 10.04 Security of System Files

ID: 0605.10h1System.12-10.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Review and reevaluate privileges	CMA_C1207 - Review and reevaluate privileges	Manual, Disabled	1.1.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0
Windows machines should meet requirements for 'Security Options - Audit'	Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0
Windows machines should meet requirements for 'System Audit Policies - Account Management'	Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0613.06h1Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0613.06h1Organizational.12-06.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0614.06h2Organizational.12-06.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0

0615.06h2Organizational.3-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 0615.06h2Organizational.3-06.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

0618.09b1System.1-09.b 09.01 Documented Operating Procedures

ID: 0618.09b1System.1-09.b Ownership: Shared

0626.10h1System.3-10.h 10.04 Security of System Files

ID: 0626.10h1System.3-10.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ automatic shutdown/restart when violations are detected	CMA_C1715 - Employ automatic shutdown/restart when violations are detected	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

0627.10h1System.45-10.h 10.04 Security of System Files

ID: 0627.10h1System.45-10.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure actions for noncompliant devices	CMA_0062 - Configure actions for noncompliant devices	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Ensure security safeguards not needed when the individuals return	CMA_C1183 - Ensure security safeguards not needed when the individuals return	Manual, Disabled	1.1.0
Establish a configuration control board	CMA_0254 - Establish a configuration control board	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0
Not allow for information systems to accompany with individuals	CMA_C1182 - Not allow for information systems to accompany with individuals	Manual, Disabled	1.1.0
Retain previous versions of baseline configs	CMA_C1181 - Retain previous versions of baseline configs	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

0628.10h1System.6-10.h 10.04 Security of System Files

ID: 0628.10h1System.6-10.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ automatic shutdown/restart when violations are detected	CMA_C1715 - Employ automatic shutdown/restart when violations are detected	Manual, Disabled	1.1.0
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0

0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes

ID: 0635.10k1Organizational.12-10.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Review development process, standards and tools	CMA_C1610 - Review development process, standards and tools	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'	Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes

ID: 0636.10k2Organizational.1-10.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create configuration plan protection	CMA_C1233 - Create configuration plan protection	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Develop configuration item identification plan	CMA_C1231 - Develop configuration item identification plan	Manual, Disabled	1.1.0
Develop configuration management plan	CMA_C1232 - Develop configuration management plan	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'	Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes

ID: 0637.10k2Organizational.2-10.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create configuration plan protection	CMA_C1233 - Create configuration plan protection	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Develop configuration item identification plan	CMA_C1231 - Develop configuration item identification plan	Manual, Disabled	1.1.0
Develop configuration management plan	CMA_C1232 - Develop configuration management plan	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'	Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes

ID: 0638.10k2Organizational.34569-10.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Automate process to document implemented changes	CMA_C1195 - Automate process to document implemented changes	Manual, Disabled	1.1.0
Automate process to highlight unreviewed change proposals	CMA_C1193 - Automate process to highlight unreviewed change proposals	Manual, Disabled	1.1.0
Automate process to prohibit implementation of unapproved changes	CMA_C1194 - Automate process to prohibit implementation of unapproved changes	Manual, Disabled	1.1.0
Automate proposed documented changes	CMA_C1191 - Automate proposed documented changes	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'	Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes

ID: 0639.10k2Organizational.78-10.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure actions for noncompliant devices	CMA_0062 - Configure actions for noncompliant devices	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a configuration control board	CMA_0254 - Establish a configuration control board	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'	Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes

ID: 0640.10k2Organizational.1012-10.k Ownership: Shared

0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes

ID: 0641.10k2Organizational.11-10.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Review development process, standards and tools	CMA_C1610 - Review development process, standards and tools	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'	Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes

ID: 0642.10k3Organizational.12-10.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure actions for noncompliant devices	CMA_0062 - Configure actions for noncompliant devices	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a configuration control board	CMA_0254 - Establish a configuration control board	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'	Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes

ID: 0643.10k3Organizational.3-10.k Ownership: Shared

0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes

ID: 0644.10k3Organizational.4-10.k Ownership: Shared

0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information

ID: 0662.09sCSPOrganizational.2-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
App Service apps should have Client Certificates (Incoming client certificates) enabled	Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1.	AuditIfNotExists, Disabled	1.0.0
Employ independent assessors to conduct security control assessments	CMA_C1148 - Employ independent assessors to conduct security control assessments	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0

0663.10h1System.7-10.h 10.04 Security of System Files

ID: 0663.10h1System.7-10.h Ownership: Shared

0669.10hCSPSystem.1-10.h 10.04 Security of System Files

ID: 0669.10hCSPSystem.1-10.h Ownership: Shared

0670.10hCSPSystem.2-10.h 10.04 Security of System Files

ID: 0670.10hCSPSystem.2-10.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

0671.10k1System.1-10.k 10.05 Security In Development and Support Processes

ID: 0671.10k1System.1-10.k Ownership: Shared

0672.10k3System.5-10.k 10.05 Security In Development and Support Processes

ID: 0672.10k3System.5-10.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Employ automatic shutdown/restart when violations are detected	CMA_C1715 - Employ automatic shutdown/restart when violations are detected	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Prohibit binary/machine-executable code	CMA_C1717 - Prohibit binary/machine-executable code	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 068.06g2Organizational.34-06.g Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Employ independent assessors for continuous monitoring	CMA_C1168 - Employ independent assessors for continuous monitoring	Manual, Disabled	1.1.0
Employ independent assessors to conduct security control assessments	CMA_C1148 - Employ independent assessors to conduct security control assessments	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0

069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance

ID: 069.06g2Organizational.56-06.g Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

07 Vulnerability Management

0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets

ID: 0701.07a1Organizational.12-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct exit interview upon termination	CMA_0058 - Conduct exit interview upon termination	Manual, Disabled	1.1.0
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Protect against and prevent data theft from departing employees	CMA_0398 - Protect against and prevent data theft from departing employees	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

0702.07a1Organizational.3-07.a 07.01 Responsibility for Assets

ID: 0702.07a1Organizational.3-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Establish terms and conditions for processing resources	CMA_C1077 - Establish terms and conditions for processing resources	Manual, Disabled	1.1.0

0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets

ID: 0703.07a2Organizational.1-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets

ID: 0704.07a3Organizational.12-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets

ID: 0705.07a3Organizational.3-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0

0706.10b1System.12-10.b 10.02 Correct Processing in Applications

ID: 0706.10b1System.12-10.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Perform information input validation	CMA_C1723 - Perform information input validation	Manual, Disabled	1.1.0

0708.10b2System.2-10.b 10.02 Correct Processing in Applications

ID: 0708.10b2System.2-10.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management

ID: 0709.10m1Organizational.1-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0
Vulnerabilities in container security configurations should be remediated	Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.	AuditIfNotExists, Disabled	3.0.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated	Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.	AuditIfNotExists, Disabled	3.0.0
Vulnerability assessment should be enabled on SQL Managed Instance	Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.	AuditIfNotExists, Disabled	1.0.1
Vulnerability assessment should be enabled on your SQL servers	Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.	AuditIfNotExists, Disabled	3.0.0
Windows machines should meet requirements for 'Security Options - Microsoft Network Server'	Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management

ID: 0710.10m2Organizational.1-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure actions for noncompliant devices	CMA_0062 - Configure actions for noncompliant devices	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a configuration control board	CMA_0254 - Establish a configuration control board	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Govern compliance of cloud service providers	CMA_0290 - Govern compliance of cloud service providers	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance	Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.	AuditIfNotExists, Disabled	1.0.1

0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management

ID: 0711.10m2Organizational.23-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Observe and report security weaknesses	CMA_0384 - Observe and report security weaknesses	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform threat modeling	CMA_0392 - Perform threat modeling	Manual, Disabled	1.1.0

0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management

ID: 0712.10m2Organizational.4-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ independent team for penetration testing	CMA_C1171 - Employ independent team for penetration testing	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0

0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management

ID: 0713.10m2Organizational.5-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate flaw remediation	CMA_0027 - Automate flaw remediation	Manual, Disabled	1.1.0
Establish benchmarks for flaw remediation	CMA_C1675 - Establish benchmarks for flaw remediation	Manual, Disabled	1.1.0
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0
Measure the time between flaw identification and flaw remediation	CMA_C1674 - Measure the time between flaw identification and flaw remediation	Manual, Disabled	1.1.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management

ID: 0714.10m2Organizational.7-10.m Ownership: Shared

0715.10m2Organizational.8-10.m 10.06 Technical Vulnerability Management

ID: 0715.10m2Organizational.8-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Vulnerabilities in container security configurations should be remediated	Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.	AuditIfNotExists, Disabled	3.0.0

0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management

ID: 0716.10m3Organizational.1-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0

0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management

ID: 0717.10m3Organizational.2-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Observe and report security weaknesses	CMA_0384 - Observe and report security weaknesses	Manual, Disabled	1.1.0
Perform threat modeling	CMA_0392 - Perform threat modeling	Manual, Disabled	1.1.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated	Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.	AuditIfNotExists, Disabled	3.0.0

0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management

ID: 0718.10m3Organizational.34-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate flaw remediation	CMA_0027 - Automate flaw remediation	Manual, Disabled	1.1.0
Observe and report security weaknesses	CMA_0384 - Observe and report security weaknesses	Manual, Disabled	1.1.0
Perform threat modeling	CMA_0392 - Perform threat modeling	Manual, Disabled	1.1.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management

ID: 0719.10m3Organizational.5-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Observe and report security weaknesses	CMA_0384 - Observe and report security weaknesses	Manual, Disabled	1.1.0
Perform threat modeling	CMA_0392 - Perform threat modeling	Manual, Disabled	1.1.0
Vulnerability assessment should be enabled on SQL Managed Instance	Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.	AuditIfNotExists, Disabled	1.0.1

0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets

ID: 0720.07a1Organizational.4-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

0722.07a1Organizational.67-07.a 07.01 Responsibility for Assets

ID: 0722.07a1Organizational.67-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Require compliance with intellectual property rights	CMA_0432 - Require compliance with intellectual property rights	Manual, Disabled	1.1.0
Restrict use of open source software	CMA_C1237 - Restrict use of open source software	Manual, Disabled	1.1.0
Track software license usage	CMA_C1235 - Track software license usage	Manual, Disabled	1.1.0

0723.07a1Organizational.8-07.a 07.01 Responsibility for Assets

ID: 0723.07a1Organizational.8-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0

0724.07a3Organizational.4-07.a 07.01 Responsibility for Assets

ID: 0724.07a3Organizational.4-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Enable detection of network devices	CMA_0220 - Enable detection of network devices	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets

ID: 0725.07a3Organizational.5-07.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

0733.10b2System.4-10.b 10.02 Correct Processing in Applications

ID: 0733.10b2System.4-10.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Perform information input validation	CMA_C1723 - Perform information input validation	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0

0786.10m2Organizational.13-10.m 10.06 Technical Vulnerability Management

ID: 0786.10m2Organizational.13-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0

0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management

ID: 0787.10m2Organizational.14-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate flaw remediation	CMA_0027 - Automate flaw remediation	Manual, Disabled	1.1.0
Establish benchmarks for flaw remediation	CMA_C1675 - Establish benchmarks for flaw remediation	Manual, Disabled	1.1.0
Incorporate flaw remediation into configuration management	CMA_C1671 - Incorporate flaw remediation into configuration management	Manual, Disabled	1.1.0
Measure the time between flaw identification and flaw remediation	CMA_C1674 - Measure the time between flaw identification and flaw remediation	Manual, Disabled	1.1.0

0788.10m3Organizational.20-10.m 10.06 Technical Vulnerability Management

ID: 0788.10m3Organizational.20-10.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ independent team for penetration testing	CMA_C1171 - Employ independent team for penetration testing	Manual, Disabled	1.1.0

0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management

ID: 0790.10m3Organizational.22-10.m Ownership: Shared

0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications

ID: 0791.10b2Organizational.4-10.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Address coding vulnerabilities	CMA_0003 - Address coding vulnerabilities	Manual, Disabled	1.1.0
Develop and document application security requirements	CMA_0148 - Develop and document application security requirements	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Establish a secure software development program	CMA_0259 - Establish a secure software development program	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to implement only approved changes	CMA_C1596 - Require developers to implement only approved changes	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0

08 Network Protection

0805.01m1Organizational.12-01.m 01.04 Network Access Control

ID: 0805.01m1Organizational.12-01.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint	This policy audits any Container Registry not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0-preview
App Service apps should use a virtual network service endpoint	Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint.	AuditIfNotExists, Disabled	2.0.1
Cosmos DB should use a virtual network service endpoint	This policy audits any Cosmos DB not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Event Hub should use a virtual network service endpoint	This policy audits any Event Hub not configured to use a virtual network service endpoint.	AuditIfNotExists, Disabled	1.0.0
Gateway subnets should not be configured with a network security group	This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.	deny	1.0.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Key Vault should use a virtual network service endpoint	This policy audits any Key Vault not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
SQL Server should use a virtual network service endpoint	This policy audits any SQL Server not configured to use a virtual network service endpoint.	AuditIfNotExists, Disabled	1.0.0
Storage Accounts should use a virtual network service endpoint	This policy audits any Storage Account not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Virtual machines should be connected to an approved virtual network	This policy audits any virtual machine connected to a virtual network that is not approved.	Audit, Deny, Disabled	1.0.0

0806.01m2Organizational.12356-01.m 01.04 Network Access Control

ID: 0806.01m2Organizational.12356-01.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint	This policy audits any Container Registry not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0-preview
App Service apps should use a virtual network service endpoint	Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint.	AuditIfNotExists, Disabled	2.0.1
Cosmos DB should use a virtual network service endpoint	This policy audits any Cosmos DB not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Event Hub should use a virtual network service endpoint	This policy audits any Event Hub not configured to use a virtual network service endpoint.	AuditIfNotExists, Disabled	1.0.0
Gateway subnets should not be configured with a network security group	This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.	deny	1.0.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Isolate SecurID systems, Security Incident Management systems	CMA_C1636 - Isolate SecurID systems, Security Incident Management systems	Manual, Disabled	1.1.0
Key Vault should use a virtual network service endpoint	This policy audits any Key Vault not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
SQL Server should use a virtual network service endpoint	This policy audits any SQL Server not configured to use a virtual network service endpoint.	AuditIfNotExists, Disabled	1.0.0
Storage Accounts should use a virtual network service endpoint	This policy audits any Storage Account not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Virtual machines should be connected to an approved virtual network	This policy audits any virtual machine connected to a virtual network that is not approved.	Audit, Deny, Disabled	1.0.0

0808.10b2System.3-10.b 10.02 Correct Processing in Applications

ID: 0808.10b2System.3-10.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Route traffic through authenticated proxy network	CMA_C1633 - Route traffic through authenticated proxy network	Manual, Disabled	1.1.0

0809.01n2Organizational.1234-01.n 01.04 Network Access Control

ID: 0809.01n2Organizational.1234-01.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines	Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface	AuditIfNotExists, Disabled	3.0.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Virtual machines should be connected to an approved virtual network	This policy audits any virtual machine connected to a virtual network that is not approved.	Audit, Deny, Disabled	1.0.0

0810.01n2Organizational.5-01.n 01.04 Network Access Control

ID: 0810.01n2Organizational.5-01.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines	Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface	AuditIfNotExists, Disabled	3.0.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Virtual machines should be connected to an approved virtual network	This policy audits any virtual machine connected to a virtual network that is not approved.	Audit, Deny, Disabled	1.0.0

08101.09m2Organizational.14-09.m 09.06 Network Security Management

ID: 08101.09m2Organizational.14-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0

08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management

ID: 08102.09nCSPOrganizational.1-09.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0

0811.01n2Organizational.6-01.n 01.04 Network Access Control

ID: 0811.01n2Organizational.6-01.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines	Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface	AuditIfNotExists, Disabled	3.0.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Determine information protection needs	CMA_C1750 - Determine information protection needs	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Virtual machines should be connected to an approved virtual network	This policy audits any virtual machine connected to a virtual network that is not approved.	Audit, Deny, Disabled	1.0.0

0812.01n2Organizational.8-01.n 01.04 Network Access Control

ID: 0812.01n2Organizational.8-01.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines	Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface	AuditIfNotExists, Disabled	3.0.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Prevent split tunneling for remote devices	CMA_C1632 - Prevent split tunneling for remote devices	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Virtual machines should be connected to an approved virtual network	This policy audits any virtual machine connected to a virtual network that is not approved.	Audit, Deny, Disabled	1.0.0

0814.01n1Organizational.12-01.n 01.04 Network Access Control

ID: 0814.01n1Organizational.12-01.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines	Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface	AuditIfNotExists, Disabled	3.0.0
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Virtual machines should be connected to an approved virtual network	This policy audits any virtual machine connected to a virtual network that is not approved.	Audit, Deny, Disabled	1.0.0

0815.01o2Organizational.123-01.o 01.04 Network Access Control

ID: 0815.01o2Organizational.123-01.o Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Route traffic through authenticated proxy network	CMA_C1633 - Route traffic through authenticated proxy network	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0

0816.01w1System.1-01.w 01.06 Application and Information Access Control

ID: 0816.01w1System.1-01.w Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Distribute information system documentation	CMA_C1584 - Distribute information system documentation	Manual, Disabled	1.1.0
Document customer-defined actions	CMA_C1582 - Document customer-defined actions	Manual, Disabled	1.1.0
Obtain Admin documentation	CMA_C1580 - Obtain Admin documentation	Manual, Disabled	1.1.0
Obtain user security function documentation	CMA_C1581 - Obtain user security function documentation	Manual, Disabled	1.1.0
Protect administrator and user documentation	CMA_C1583 - Protect administrator and user documentation	Manual, Disabled	1.1.0

0817.01w2System.123-01.w 01.06 Application and Information Access Control

ID: 0817.01w2System.123-01.w Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ boundary protection to isolate information systems	CMA_C1639 - Employ boundary protection to isolate information systems	Manual, Disabled	1.1.0
Ensure system capable of dynamic isolation of resources	CMA_C1638 - Ensure system capable of dynamic isolation of resources	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Isolate SecurID systems, Security Incident Management systems	CMA_C1636 - Isolate SecurID systems, Security Incident Management systems	Manual, Disabled	1.1.0
Maintain separate execution domains for running processes	CMA_C1665 - Maintain separate execution domains for running processes	Manual, Disabled	1.1.0
Separate user and information system management functionality	CMA_0493 - Separate user and information system management functionality	Manual, Disabled	1.1.0
Use dedicated machines for administrative tasks	CMA_0527 - Use dedicated machines for administrative tasks	Manual, Disabled	1.1.0

0818.01w3System.12-01.w 01.06 Application and Information Access Control

ID: 0818.01w3System.12-01.w Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Govern the allocation of resources	CMA_0293 - Govern the allocation of resources	Manual, Disabled	1.1.0
Maintain separate execution domains for running processes	CMA_C1665 - Maintain separate execution domains for running processes	Manual, Disabled	1.1.0
Manage availability and capacity	CMA_0356 - Manage availability and capacity	Manual, Disabled	1.1.0
Secure commitment from leadership	CMA_0489 - Secure commitment from leadership	Manual, Disabled	1.1.0

0819.09m1Organizational.23-09.m 09.06 Network Security Management

ID: 0819.09m1Organizational.23-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0

0821.09m2Organizational.2-09.m 09.06 Network Security Management

ID: 0821.09m2Organizational.2-09.m Ownership: Shared

0822.09m2Organizational.4-09.m 09.06 Network Security Management

ID: 0822.09m2Organizational.4-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Route traffic through authenticated proxy network	CMA_C1633 - Route traffic through authenticated proxy network	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0

0824.09m3Organizational.1-09.m 09.06 Network Security Management

ID: 0824.09m3Organizational.1-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

0825.09m3Organizational.23-09.m 09.06 Network Security Management

ID: 0825.09m3Organizational.23-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Detect network services that have not been authorized or approved	CMA_C1700 - Detect network services that have not been authorized or approved	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Obtain legal opinion for monitoring system activities	CMA_C1688 - Obtain legal opinion for monitoring system activities	Manual, Disabled	1.1.0
Provide monitoring information as needed	CMA_C1689 - Provide monitoring information as needed	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0

0826.09m3Organizational.45-09.m 09.06 Network Security Management

ID: 0826.09m3Organizational.45-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0

0828.09m3Organizational.8-09.m 09.06 Network Security Management

ID: 0828.09m3Organizational.8-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review changes for any unauthorized changes	CMA_C1204 - Review changes for any unauthorized changes	Manual, Disabled	1.1.0

0829.09m3Organizational.911-09.m 09.06 Network Security Management

ID: 0829.09m3Organizational.911-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0

0830.09m3Organizational.1012-09.m 09.06 Network Security Management

ID: 0830.09m3Organizational.1012-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

0832.09m3Organizational.14-09.m 09.06 Network Security Management

ID: 0832.09m3Organizational.14-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Update interconnection security agreements	CMA_0519 - Update interconnection security agreements	Manual, Disabled	1.1.0

0835.09n1Organizational.1-09.n 09.06 Network Security Management

ID: 0835.09n1Organizational.1-09.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines	Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.	AuditIfNotExists, Disabled	1.0.2-preview
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Virtual machines should be migrated to new Azure Resource Manager resources	Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management	Audit, Deny, Disabled	1.0.0

0836.09.n2Organizational.1-09.n 09.06 Network Security Management

ID: 0836.09.n2Organizational.1-09.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines	Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.	AuditIfNotExists, Disabled	1.0.2-preview
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Update interconnection security agreements	CMA_0519 - Update interconnection security agreements	Manual, Disabled	1.1.0

0837.09.n2Organizational.2-09.n 09.06 Network Security Management

ID: 0837.09.n2Organizational.2-09.n Ownership: Shared

0850.01o1Organizational.12-01.o 01.04 Network Access Control

ID: 0850.01o1Organizational.12-01.o Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Route traffic through authenticated proxy network	CMA_C1633 - Route traffic through authenticated proxy network	Manual, Disabled	1.1.0

0858.09m1Organizational.4-09.m 09.06 Network Security Management

ID: 0858.09m1Organizational.4-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine	Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.	AuditIfNotExists, Disabled	3.0.0
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'Windows Firewall Properties'	Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0859.09m1Organizational.78-09.m 09.06 Network Security Management

ID: 0859.09m1Organizational.78-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines	Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface	AuditIfNotExists, Disabled	3.0.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

0860.09m1Organizational.9-09.m 09.06 Network Security Management

ID: 0860.09m1Organizational.9-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Deploy Diagnostic Settings for Network Security Groups	This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.	deployIfNotExists	2.0.1
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0

0861.09m2Organizational.67-09.m 09.06 Network Security Management

ID: 0861.09m2Organizational.67-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
App Service apps should use a virtual network service endpoint	Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint.	AuditIfNotExists, Disabled	2.0.1
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'Security Options - Network Access'	Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

0862.09m2Organizational.8-09.m 09.06 Network Security Management

ID: 0862.09m2Organizational.8-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
SQL Server should use a virtual network service endpoint	This policy audits any SQL Server not configured to use a virtual network service endpoint.	AuditIfNotExists, Disabled	1.0.0

0863.09m2Organizational.910-09.m 09.06 Network Security Management

ID: 0863.09m2Organizational.910-09.m Ownership: Shared

0864.09m2Organizational.12-09.m 09.06 Network Security Management

ID: 0864.09m2Organizational.12-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Cosmos DB should use a virtual network service endpoint	This policy audits any Cosmos DB not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Establish voip usage restrictions	CMA_0280 - Establish voip usage restrictions	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0

0865.09m2Organizational.13-09.m 09.06 Network Security Management

ID: 0865.09m2Organizational.13-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0
Employ restrictions on external system interconnections	CMA_C1155 - Employ restrictions on external system interconnections	Manual, Disabled	1.1.0
Key Vault should use a virtual network service endpoint	This policy audits any Key Vault not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Update interconnection security agreements	CMA_0519 - Update interconnection security agreements	Manual, Disabled	1.1.0

0866.09m3Organizational.1516-09.m 09.06 Network Security Management

ID: 0866.09m3Organizational.1516-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Storage accounts should restrict network access	Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges	Audit, Deny, Disabled	1.1.1

0868.09m3Organizational.18-09.m 09.06 Network Security Management

ID: 0868.09m3Organizational.18-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint	This policy audits any Container Registry not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0-preview
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0

0869.09m3Organizational.19-09.m 09.06 Network Security Management

ID: 0869.09m3Organizational.19-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint	This policy audits any Container Registry not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0-preview
Configure actions for noncompliant devices	CMA_0062 - Configure actions for noncompliant devices	Manual, Disabled	1.1.0
Create configuration plan protection	CMA_C1233 - Create configuration plan protection	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Develop configuration item identification plan	CMA_C1231 - Develop configuration item identification plan	Manual, Disabled	1.1.0
Develop configuration management plan	CMA_C1232 - Develop configuration management plan	Manual, Disabled	1.1.0
Employ automatic shutdown/restart when violations are detected	CMA_C1715 - Employ automatic shutdown/restart when violations are detected	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a configuration control board	CMA_0254 - Establish a configuration control board	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0

0870.09m3Organizational.20-09.m 09.06 Network Security Management

ID: 0870.09m3Organizational.20-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint	This policy audits any Container Registry not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0-preview
Detect network services that have not been authorized or approved	CMA_C1700 - Detect network services that have not been authorized or approved	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Route traffic through authenticated proxy network	CMA_C1633 - Route traffic through authenticated proxy network	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

0871.09m3Organizational.22-09.m 09.06 Network Security Management

ID: 0871.09m3Organizational.22-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint	This policy audits any Container Registry not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0-preview
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0

0885.09n2Organizational.3-09.n 09.06 Network Security Management

ID: 0885.09n2Organizational.3-09.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines	Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.	AuditIfNotExists, Disabled	1.0.2-preview
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Update interconnection security agreements	CMA_0519 - Update interconnection security agreements	Manual, Disabled	1.1.0

0886.09n2Organizational.4-09.n 09.06 Network Security Management

ID: 0886.09n2Organizational.4-09.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ restrictions on external system interconnections	CMA_C1155 - Employ restrictions on external system interconnections	Manual, Disabled	1.1.0
Network Watcher should be enabled	Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.	AuditIfNotExists, Disabled	3.0.0

0887.09n2Organizational.5-09.n 09.06 Network Security Management

ID: 0887.09n2Organizational.5-09.n Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines	Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.	AuditIfNotExists, Disabled	1.0.2-preview
Require developer to identify SDLC ports, protocols, and services	CMA_C1578 - Require developer to identify SDLC ports, protocols, and services	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0

0888.09n2Organizational.6-09.n 09.06 Network Security Management

ID: 0888.09n2Organizational.6-09.n Ownership: Shared

0894.01m2Organizational.7-01.m 01.04 Network Access Control

ID: 0894.01m2Organizational.7-01.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
[Preview]: Container Registry should use a virtual network service endpoint	This policy audits any Container Registry not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0-preview
App Service apps should use a virtual network service endpoint	Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint.	AuditIfNotExists, Disabled	2.0.1
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Cosmos DB should use a virtual network service endpoint	This policy audits any Cosmos DB not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Deploy network watcher when virtual networks are created	This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.	DeployIfNotExists	1.0.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Event Hub should use a virtual network service endpoint	This policy audits any Event Hub not configured to use a virtual network service endpoint.	AuditIfNotExists, Disabled	1.0.0
Gateway subnets should not be configured with a network security group	This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.	deny	1.0.0
Internet-facing virtual machines should be protected with network security groups	Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc	AuditIfNotExists, Disabled	3.0.0
Key Vault should use a virtual network service endpoint	This policy audits any Key Vault not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0
Route traffic through authenticated proxy network	CMA_C1633 - Route traffic through authenticated proxy network	Manual, Disabled	1.1.0
SQL Server should use a virtual network service endpoint	This policy audits any SQL Server not configured to use a virtual network service endpoint.	AuditIfNotExists, Disabled	1.0.0
Storage Accounts should use a virtual network service endpoint	This policy audits any Storage Account not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0
Subnets should be associated with a Network Security Group	Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.	AuditIfNotExists, Disabled	3.0.0
Virtual machines should be connected to an approved virtual network	This policy audits any virtual machine connected to a virtual network that is not approved.	Audit, Deny, Disabled	1.0.0

Back-up

Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices.

ID: 1699.09l1Organizational.10 - 09.l Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Backup should be enabled for Virtual Machines	Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.	AuditIfNotExists, Disabled	3.0.0

Network Controls

Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends).

ID: 0867.09m3Organizational.17 - 09.m Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Storage Accounts should use a virtual network service endpoint	This policy audits any Storage Account not configured to use a virtual network service endpoint.	Audit, Disabled	1.0.0

On-line Transactions

The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction.

ID: 0946.09y2Organizational.14 - 09.y Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0

09 Transmission Protection

0901.09s1Organizational.1-09.s 09.08 Exchange of Information

ID: 0901.09s1Organizational.1-09.s Ownership: Shared

0902.09s2Organizational.13-09.s 09.08 Exchange of Information

ID: 0902.09s2Organizational.13-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Authorize remote access to privileged commands	CMA_C1064 - Authorize remote access to privileged commands	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Establish terms and conditions for accessing resources	CMA_C1076 - Establish terms and conditions for accessing resources	Manual, Disabled	1.1.0
Establish terms and conditions for processing resources	CMA_C1077 - Establish terms and conditions for processing resources	Manual, Disabled	1.1.0
Function apps should not have CORS configured to allow every resource to access your apps	Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.	AuditIfNotExists, Disabled	2.0.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Provide capability to disconnect or disable remote access	CMA_C1066 - Provide capability to disconnect or disable remote access	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0

0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls

ID: 0903.10f1Organizational.1-10.f Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0

0904.10f2Organizational.1-10.f 10.03 Cryptographic Controls

ID: 0904.10f2Organizational.1-10.f Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authenticate to cryptographic module	CMA_0021 - Authenticate to cryptographic module	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Produce, control and distribute symmetric cryptographic keys	CMA_C1645 - Produce, control and distribute symmetric cryptographic keys	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

0912.09s1Organizational.4-09.s 09.08 Exchange of Information

ID: 0912.09s1Organizational.4-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
App Service apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0

0913.09s1Organizational.5-09.s 09.08 Exchange of Information

ID: 0913.09s1Organizational.5-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Function apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0

0914.09s1Organizational.6-09.s 09.08 Exchange of Information

ID: 0914.09s1Organizational.6-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Employ independent assessors to conduct security control assessments	CMA_C1148 - Employ independent assessors to conduct security control assessments	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0

0915.09s2Organizational.2-09.s 09.08 Exchange of Information

ID: 0915.09s2Organizational.2-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
App Service apps should have Client Certificates (Incoming client certificates) enabled	Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1.	AuditIfNotExists, Disabled	1.0.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Establish terms and conditions for accessing resources	CMA_C1076 - Establish terms and conditions for accessing resources	Manual, Disabled	1.1.0
Establish terms and conditions for processing resources	CMA_C1077 - Establish terms and conditions for processing resources	Manual, Disabled	1.1.0

0916.09s2Organizational.4-09.s 09.08 Exchange of Information

ID: 0916.09s2Organizational.4-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
App Service apps should not have CORS configured to allow every resource to access your apps	Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.	AuditIfNotExists, Disabled	2.0.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Explicitly notify use of collaborative computing devices	CMA_C1649 - Explicitly notify use of collaborative computing devices	Manual, Disabled	1.1.1
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Prohibit remote activation of collaborative computing devices	CMA_C1648 - Prohibit remote activation of collaborative computing devices	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0

0926.09v1Organizational.2-09.v 09.08 Exchange of Information

ID: 0926.09v1Organizational.2-09.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0

0927.09v1Organizational.3-09.v 09.08 Exchange of Information

ID: 0927.09v1Organizational.3-09.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

0928.09v1Organizational.45-09.v 09.08 Exchange of Information

ID: 0928.09v1Organizational.45-09.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0

0929.09v1Organizational.6-09.v 09.08 Exchange of Information

ID: 0929.09v1Organizational.6-09.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Implement a fault tolerant name/address service	CMA_0305 - Implement a fault tolerant name/address service	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Provide secure name and address resolution services	CMA_0416 - Provide secure name and address resolution services	Manual, Disabled	1.1.0

0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services

ID: 0943.09y1Organizational.1-09.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Document process to ensure integrity of PII	CMA_C1827 - Document process to ensure integrity of PII	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0

0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services

ID: 0944.09y1Organizational.2-09.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ boundary protection to isolate information systems	CMA_C1639 - Employ boundary protection to isolate information systems	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0

0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services

ID: 0945.09y1Organizational.3-09.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit Windows machines that do not contain the specified certificates in Trusted Root	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter.	auditIfNotExists	3.0.0
Authenticate to cryptographic module	CMA_0021 - Authenticate to cryptographic module	Manual, Disabled	1.1.0
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0

0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services

ID: 0947.09y2Organizational.2-09.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create separate alternate and primary storage sites	CMA_C1269 - Create separate alternate and primary storage sites	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Ensure alternate storage site safeguards are equivalent to primary site	CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site	Manual, Disabled	1.1.0
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Establish alternate storage site to store and retrieve backup information	CMA_C1267 - Establish alternate storage site to store and retrieve backup information	Manual, Disabled	1.1.0
Govern and monitor audit processing activities	CMA_0289 - Govern and monitor audit processing activities	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0
Restrict location of information processing, storage and services	CMA_C1593 - Restrict location of information processing, storage and services	Manual, Disabled	1.1.0
Transfer backup information to an alternate storage site	CMA_C1294 - Transfer backup information to an alternate storage site	Manual, Disabled	1.1.0

0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services

ID: 0948.09y2Organizational.3-09.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Distribute authenticators	CMA_0184 - Distribute authenticators	Manual, Disabled	1.1.0
Enforce random unique session identifiers	CMA_0247 - Enforce random unique session identifiers	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for MySQL database servers	Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0

0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services

ID: 0949.09y2Organizational.5-09.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
App Service apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Function apps should use the latest TLS version	Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.	AuditIfNotExists, Disabled	2.0.1
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Require developer to identify SDLC ports, protocols, and services	CMA_C1578 - Require developer to identify SDLC ports, protocols, and services	Manual, Disabled	1.1.0

0960.09sCSPOrganizational.1-09.s 09.08 Exchange of Information

ID: 0960.09sCSPOrganizational.1-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Function apps should not have CORS configured to allow every resource to access your apps	Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.	AuditIfNotExists, Disabled	2.0.0
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0

099.09m2Organizational.11-09.m 09.06 Network Security Management

ID: 099.09m2Organizational.11-09.m Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0

Control of Operational Software

Applications and operating systems are successfully tested for usability, security and impact prior to production.

ID: 0606.10h2System.1 - 10.h Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Vulnerabilities in container security configurations should be remediated	Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.	AuditIfNotExists, Disabled	3.0.0

The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation.

ID: 0607.10h2System.23 - 10.h Ownership: Customer

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines	Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.	AuditIfNotExists, Disabled	3.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated	Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.	AuditIfNotExists, Disabled	3.0.0

10 Password Management

1002.01d1System.1-01.d 01.02 Authorized Access to Information Systems

ID: 1002.01d1System.1-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Obscure feedback information during authentication process	CMA_C1344 - Obscure feedback information during authentication process	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0

1003.01d1System.3-01.d 01.02 Authorized Access to Information Systems

ID: 1003.01d1System.3-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems

ID: 1004.01d1System.8913-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems

ID: 1005.01d1System.1011-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authenticate to cryptographic module	CMA_0021 - Authenticate to cryptographic module	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Produce, control and distribute symmetric cryptographic keys	CMA_C1645 - Produce, control and distribute symmetric cryptographic keys	Manual, Disabled	1.1.0

1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems

ID: 1006.01d2System.1-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Ensure there are no unencrypted static authenticators	CMA_C1340 - Ensure there are no unencrypted static authenticators	Manual, Disabled	1.1.0
Generate error messages	CMA_C1724 - Generate error messages	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Obscure feedback information during authentication process	CMA_C1344 - Obscure feedback information during authentication process	Manual, Disabled	1.1.0

1007.01d2System.2-01.d 01.02 Authorized Access to Information Systems

ID: 1007.01d2System.2-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0

1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems

ID: 1008.01d2System.3-01.d Ownership: Shared

1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems

ID: 1009.01d2System.4-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0

1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems

ID: 1014.01d1System.12-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

1015.01d1System.14-01.d 01.02 Authorized Access to Information Systems

ID: 1015.01d1System.14-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems

ID: 1022.01d1System.15-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0

1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems

ID: 1031.01d1System.34510-01.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0

11 Access Control

1106.01b1System.1-01.b 01.02 Authorized Access to Information Systems

ID: 1106.01b1System.1-01.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

1107.01b1System.2-01.b 01.02 Authorized Access to Information Systems

ID: 1107.01b1System.2-01.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

1108.01b1System.3-01.b 01.02 Authorized Access to Information Systems

ID: 1108.01b1System.3-01.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0

1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems

ID: 1109.01b1System.479-01.b Ownership: Shared

1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems

ID: 1110.01b1System.5-01.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define and enforce conditions for shared and group accounts	CMA_0117 - Define and enforce conditions for shared and group accounts	Manual, Disabled	1.1.0
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

11109.01q1Organizational.57-01.q 01.05 Operating System Access Control

ID: 11109.01q1Organizational.57-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Assign system identifiers	CMA_0018 - Assign system identifiers	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Identify status of individual users	CMA_C1316 - Identify status of individual users	Manual, Disabled	1.1.0
Prevent identifier reuse for the defined time period	CMA_C1314 - Prevent identifier reuse for the defined time period	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

1111.01b2System.1-01.b 01.02 Authorized Access to Information Systems

ID: 1111.01b2System.1-01.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define and enforce conditions for shared and group accounts	CMA_0117 - Define and enforce conditions for shared and group accounts	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0

11111.01q2System.4-01.q 01.05 Operating System Access Control

ID: 11111.01q2System.4-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Establish procedures for initial authenticator distribution	CMA_0276 - Establish procedures for initial authenticator distribution	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

11112.01q2Organizational.67-01.q 01.05 Operating System Access Control

ID: 11112.01q2Organizational.67-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0

1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems

ID: 1112.01b2System.2-01.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assign an authorizing official (AO)	CMA_C1158 - Assign an authorizing official (AO)	Manual, Disabled	1.1.0
Distribute authenticators	CMA_0184 - Distribute authenticators	Manual, Disabled	1.1.0
Ensure resources are authorized	CMA_C1159 - Ensure resources are authorized	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0
Update the security authorization	CMA_C1160 - Update the security authorization	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

11126.01t1Organizational.12-01.t 01.05 Operating System Access Control

ID: 11126.01t1Organizational.12-01.t Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Reauthenticate or terminate a user session	CMA_0421 - Reauthenticate or terminate a user session	Manual, Disabled	1.1.0

1114.01h1Organizational.123-01.h 01.03 User Responsibilities

ID: 1114.01h1Organizational.123-01.h Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define and enforce the limit of concurrent sessions	CMA_C1050 - Define and enforce the limit of concurrent sessions	Manual, Disabled	1.1.0
Terminate user session automatically	CMA_C1054 - Terminate user session automatically	Manual, Disabled	1.1.0

11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment

ID: 11154.02i1Organizational.5-02.i Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct exit interview upon termination	CMA_0058 - Conduct exit interview upon termination	Manual, Disabled	1.1.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Initiate transfer or reassignment actions	CMA_0333 - Initiate transfer or reassignment actions	Manual, Disabled	1.1.0
Modify access authorizations upon personnel transfer	CMA_0374 - Modify access authorizations upon personnel transfer	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Protect against and prevent data theft from departing employees	CMA_0398 - Protect against and prevent data theft from departing employees	Manual, Disabled	1.1.0
Reevaluate access upon personnel transfer	CMA_0424 - Reevaluate access upon personnel transfer	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment

ID: 11155.02i2Organizational.2-02.i Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Conduct exit interview upon termination	CMA_0058 - Conduct exit interview upon termination	Manual, Disabled	1.1.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Protect against and prevent data theft from departing employees	CMA_0398 - Protect against and prevent data theft from departing employees	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

1116.01j1Organizational.145-01.j 01.04 Network Access Control

ID: 1116.01j1Organizational.145-01.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

1118.01j2Organizational.124-01.j 01.04 Network Access Control

ID: 1118.01j2Organizational.124-01.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0

11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems

ID: 11180.01c3System.6-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0

1119.01j2Organizational.3-01.j 01.04 Network Access Control

ID: 1119.01j2Organizational.3-01.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Enable detection of network devices	CMA_0220 - Enable detection of network devices	Manual, Disabled	1.1.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0

11190.01t1Organizational.3-01.t 01.05 Operating System Access Control

ID: 11190.01t1Organizational.3-01.t Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0

1120.09ab3System.9-09.ab 09.10 Monitoring

ID: 1120.09ab3System.9-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Monitor should collect activity logs from all regions	This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.	AuditIfNotExists, Disabled	2.0.0

1121.01j3Organizational.2-01.j 01.04 Network Access Control

ID: 1121.01j3Organizational.2-01.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems

ID: 11219.01b1Organizational.10-01.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1122.01q1System.1-01.q 01.05 Operating System Access Control

ID: 1122.01q1System.1-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accept only FICAM-approved third-party credentials	CMA_C1348 - Accept only FICAM-approved third-party credentials	Manual, Disabled	1.1.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Conform to FICAM-issued profiles	CMA_C1350 - Conform to FICAM-issued profiles	Manual, Disabled	1.1.0
Employ FICAM-approved resources to accept third-party credentials	CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems

ID: 11220.01b1System.10-01.b Ownership: Shared

1123.01q1System.2-01.q 01.05 Operating System Access Control

ID: 1123.01q1System.2-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit Windows machines that have extra accounts in the Administrators group	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter.	auditIfNotExists	2.0.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0

1124.01q1System.34-01.q 01.05 Operating System Access Control

ID: 1124.01q1System.34-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define and enforce conditions for shared and group accounts	CMA_0117 - Define and enforce conditions for shared and group accounts	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0

1125.01q2System.1-01.q 01.05 Operating System Access Control

ID: 1125.01q2System.1-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Audit Windows machines that have the specified members in the Administrators group	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.	auditIfNotExists	2.0.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

1127.01q2System.3-01.q 01.05 Operating System Access Control

ID: 1127.01q2System.3-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit Windows machines missing any of specified members in the Administrators group	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.	auditIfNotExists	2.0.0
Distribute authenticators	CMA_0184 - Distribute authenticators	Manual, Disabled	1.1.0

1128.01q2System.5-01.q 01.05 Operating System Access Control

ID: 1128.01q2System.5-01.q Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

1129.01v1System.12-01.v 01.06 Application and Information Access Control

ID: 1129.01v1System.12-01.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

1130.01v2System.1-01.v 01.06 Application and Information Access Control

ID: 1130.01v2System.1-01.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assign account managers	CMA_0015 - Assign account managers	Manual, Disabled	1.1.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0

1131.01v2System.2-01.v 01.06 Application and Information Access Control

ID: 1131.01v2System.2-01.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0

1132.01v2System.3-01.v 01.06 Application and Information Access Control

ID: 1132.01v2System.3-01.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0

1133.01v2System.4-01.v 01.06 Application and Information Access Control

ID: 1133.01v2System.4-01.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Identify actions allowed without authentication	CMA_0295 - Identify actions allowed without authentication	Manual, Disabled	1.1.0

1134.01v3System.1-01.v 01.06 Application and Information Access Control

ID: 1134.01v3System.1-01.v Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0

1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment

ID: 1135.02i1Organizational.1234-02.i Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct exit interview upon termination	CMA_0058 - Conduct exit interview upon termination	Manual, Disabled	1.1.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Initiate transfer or reassignment actions	CMA_0333 - Initiate transfer or reassignment actions	Manual, Disabled	1.1.0
Modify access authorizations upon personnel transfer	CMA_0374 - Modify access authorizations upon personnel transfer	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Protect against and prevent data theft from departing employees	CMA_0398 - Protect against and prevent data theft from departing employees	Manual, Disabled	1.1.0
Reevaluate access upon personnel transfer	CMA_0424 - Reevaluate access upon personnel transfer	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0

1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment

ID: 1136.02i2Organizational.1-02.i Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct exit interview upon termination	CMA_0058 - Conduct exit interview upon termination	Manual, Disabled	1.1.0
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Disable user accounts posing a significant risk	CMA_C1026 - Disable user accounts posing a significant risk	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Protect against and prevent data theft from departing employees	CMA_0398 - Protect against and prevent data theft from departing employees	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements

ID: 1137.06e1Organizational.1-06.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

1139.01b1System.68-01.b 01.02 Authorized Access to Information Systems

ID: 1139.01b1System.68-01.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define and enforce conditions for shared and group accounts	CMA_0117 - Define and enforce conditions for shared and group accounts	Manual, Disabled	1.1.0
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Document access privileges	CMA_0186 - Document access privileges	Manual, Disabled	1.1.0
Establish conditions for role membership	CMA_0269 - Establish conditions for role membership	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0

1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems

ID: 1143.01c1System.123-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Management ports should be closed on your virtual machines	Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.	AuditIfNotExists, Disabled	3.0.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0

1144.01c1System.4-01.c 01.02 Authorized Access to Information Systems

ID: 1144.01c1System.4-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0

1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems

ID: 1145.01c2System.1-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
There should be more than one owner assigned to your subscription	It is recommended to designate more than one subscription owner in order to have administrator access redundancy.	AuditIfNotExists, Disabled	3.0.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems

ID: 1146.01c2System.23-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Enforce software execution privileges	CMA_C1041 - Enforce software execution privileges	Manual, Disabled	1.1.0
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0

1147.01c2System.456-01.c 01.02 Authorized Access to Information Systems

ID: 1147.01c2System.456-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Blocked accounts with owner permissions on Azure resources should be removed	Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0

1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems

ID: 1148.01c2System.78-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit usage of custom RBAC roles	Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling	Audit, Disabled	1.0.1
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'Security Options - Accounts'	Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems

ID: 1150.01c2System.10-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Establish firewall and router configuration standards	CMA_0272 - Establish firewall and router configuration standards	Manual, Disabled	1.1.0
Establish network segmentation for card holder data environment	CMA_0273 - Establish network segmentation for card holder data environment	Manual, Disabled	1.1.0
Identify and manage downstream information exchanges	CMA_0298 - Identify and manage downstream information exchanges	Manual, Disabled	1.1.0
Information flow control using security policy filters	CMA_C1029 - Information flow control using security policy filters	Manual, Disabled	1.1.0
Management ports should be closed on your virtual machines	Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.	AuditIfNotExists, Disabled	3.0.0

1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems

ID: 1151.01c3System.1-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems

ID: 1152.01c3System.2-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
There should be more than one owner assigned to your subscription	It is recommended to designate more than one subscription owner in order to have administrator access redundancy.	AuditIfNotExists, Disabled	3.0.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

1153.01c3System.35-01.c 01.02 Authorized Access to Information Systems

ID: 1153.01c3System.35-01.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services	To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.	Audit, Disabled	1.0.3
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0

1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems

ID: 1166.01e1System.12-01.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Initiate transfer or reassignment actions	CMA_0333 - Initiate transfer or reassignment actions	Manual, Disabled	1.1.0
Modify access authorizations upon personnel transfer	CMA_0374 - Modify access authorizations upon personnel transfer	Manual, Disabled	1.1.0
Notify Account Managers of customer controlled accounts	CMA_C1009 - Notify Account Managers of customer controlled accounts	Manual, Disabled	1.1.0
Notify upon termination or transfer	CMA_0381 - Notify upon termination or transfer	Manual, Disabled	1.1.0
Reevaluate access upon personnel transfer	CMA_0424 - Reevaluate access upon personnel transfer	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0

1167.01e2System.1-01.e 01.02 Authorized Access to Information Systems

ID: 1167.01e2System.1-01.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assign system identifiers	CMA_0018 - Assign system identifiers	Manual, Disabled	1.1.0
Identify status of individual users	CMA_C1316 - Identify status of individual users	Manual, Disabled	1.1.0

1168.01e2System.2-01.e 01.02 Authorized Access to Information Systems

ID: 1168.01e2System.2-01.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Reassign or remove user privileges as needed	CMA_C1040 - Reassign or remove user privileges as needed	Manual, Disabled	1.1.0
Review user privileges	CMA_C1039 - Review user privileges	Manual, Disabled	1.1.0

1175.01j1Organizational.8-01.j 01.04 Network Access Control

ID: 1175.01j1Organizational.8-01.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

1178.01j2Organizational.7-01.j 01.04 Network Access Control

ID: 1178.01j2Organizational.7-01.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accounts with read permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Require use of individual authenticators	CMA_C1305 - Require use of individual authenticators	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

1179.01j3Organizational.1-01.j 01.04 Network Access Control

ID: 1179.01j3Organizational.1-01.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

1192.01l1Organizational.1-01.l 01.04 Network Access Control

ID: 1192.01l1Organizational.1-01.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Management ports of virtual machines should be protected with just-in-time network access control	Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0

1193.01l2Organizational.13-01.l 01.04 Network Access Control

ID: 1193.01l2Organizational.13-01.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Management ports should be closed on your virtual machines	Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.	AuditIfNotExists, Disabled	3.0.0

1194.01l2Organizational.2-01.l 01.04 Network Access Control

ID: 1194.01l2Organizational.2-01.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
App Service apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0

1195.01l3Organizational.1-01.l 01.04 Network Access Control

ID: 1195.01l3Organizational.1-01.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Function apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0

1197.01l3Organizational.3-01.l 01.04 Network Access Control

ID: 1197.01l3Organizational.3-01.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines	Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.	AuditIfNotExists, Disabled	3.0.0

12 Audit Logging & Monitoring

1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements

ID: 1201.06e1Organizational.2-06.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

1202.09aa1System.1-09.aa 09.10 Monitoring

ID: 1202.09aa1System.1-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Resource logs in Azure Data Lake Store should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.0.0
Review and update the events defined in AU-02	CMA_C1106 - Review and update the events defined in AU-02	Manual, Disabled	1.1.0
System updates on virtual machine scale sets should be installed	Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.	AuditIfNotExists, Disabled	3.0.0

1203.09aa1System.2-09.aa 09.10 Monitoring

ID: 1203.09aa1System.2-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Resource logs in Logic Apps should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.1.0

1204.09aa1System.3-09.aa 09.10 Monitoring

ID: 1204.09aa1System.3-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Resource logs in IoT Hub should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	3.1.0

1205.09aa2System.1-09.aa 09.10 Monitoring

ID: 1205.09aa2System.1-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Ensure audit records are not altered	CMA_C1125 - Ensure audit records are not altered	Manual, Disabled	1.1.0
Provide audit review, analysis, and reporting capability	CMA_C1124 - Provide audit review, analysis, and reporting capability	Manual, Disabled	1.1.0
Provide capability to process customer-controlled audit records	CMA_C1126 - Provide capability to process customer-controlled audit records	Manual, Disabled	1.1.0
Resource logs in Batch accounts should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.0.0

1206.09aa2System.23-09.aa 09.10 Monitoring

ID: 1206.09aa2System.23-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Employ automatic shutdown/restart when violations are detected	CMA_C1715 - Employ automatic shutdown/restart when violations are detected	Manual, Disabled	1.1.0
Prohibit binary/machine-executable code	CMA_C1717 - Prohibit binary/machine-executable code	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

1207.09aa2System.4-09.aa 09.10 Monitoring

ID: 1207.09aa2System.4-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Enable dual or joint authorization	CMA_0226 - Enable dual or joint authorization	Manual, Disabled	1.1.0
Govern and monitor audit processing activities	CMA_0289 - Govern and monitor audit processing activities	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0
Resource logs in Azure Stream Analytics should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.0.0
Resource logs in Event Hub should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.0.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0

1208.09aa3System.1-09.aa 09.10 Monitoring

ID: 1208.09aa3System.1-09.aa Ownership: Shared

1209.09aa3System.2-09.aa 09.10 Monitoring

ID: 1209.09aa3System.2-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
App Service apps should have resource logs enabled	Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.	AuditIfNotExists, Disabled	2.0.1
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0

1210.09aa3System.3-09.aa 09.10 Monitoring

ID: 1210.09aa3System.3-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Audit diagnostic setting for selected resource types	Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.	AuditIfNotExists	2.0.1
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Resource logs in Data Lake Analytics should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.0.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0
Review and update the events defined in AU-02	CMA_C1106 - Review and update the events defined in AU-02	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Use system clocks for audit records	CMA_0535 - Use system clocks for audit records	Manual, Disabled	1.1.0

12100.09ab2System.15-09.ab 09.10 Monitoring

ID: 12100.09ab2System.15-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Discover any indicators of compromise	CMA_C1702 - Discover any indicators of compromise	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Virtual machines should have the Log Analytics extension installed	This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed.	AuditIfNotExists, Disabled	1.0.1

12101.09ab1Organizational.3-09.ab 09.10 Monitoring

ID: 12101.09ab1Organizational.3-09.ab Ownership: Shared

12102.09ab1Organizational.4-09.ab 09.10 Monitoring

ID: 12102.09ab1Organizational.4-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit Windows machines on which the Log Analytics agent is not connected as expected	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.	auditIfNotExists	2.0.0
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

12103.09ab1Organizational.5-09.ab 09.10 Monitoring

ID: 12103.09ab1Organizational.5-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

1211.09aa3System.4-09.aa 09.10 Monitoring

ID: 1211.09aa3System.4-09.aa Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Auditing on SQL server should be enabled	Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.	AuditIfNotExists, Disabled	2.0.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Resource logs in Azure Key Vault Managed HSM should be enabled	To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging.	AuditIfNotExists, Disabled	1.1.0
Resource logs in Key Vault should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.0.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

1212.09ab1System.1-09.ab 09.10 Monitoring

ID: 1212.09ab1System.1-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'	This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'	AuditIfNotExists, Disabled	1.0.0
Obtain legal opinion for monitoring system activities	CMA_C1688 - Obtain legal opinion for monitoring system activities	Manual, Disabled	1.1.0
Provide monitoring information as needed	CMA_C1689 - Provide monitoring information as needed	Manual, Disabled	1.1.0

1213.09ab2System.128-09.ab 09.10 Monitoring

ID: 1213.09ab2System.128-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription	To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.	AuditIfNotExists, Disabled	1.0.1
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0

1214.09ab2System.3456-09.ab 09.10 Monitoring

ID: 1214.09ab2System.3456-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Azure Monitor should collect activity logs from all regions	This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.	AuditIfNotExists, Disabled	2.0.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

1215.09ab2System.7-09.ab 09.10 Monitoring

ID: 1215.09ab2System.7-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Ensure audit records are not altered	CMA_C1125 - Ensure audit records are not altered	Manual, Disabled	1.1.0
Provide audit review, analysis, and reporting capability	CMA_C1124 - Provide audit review, analysis, and reporting capability	Manual, Disabled	1.1.0
Provide capability to process customer-controlled audit records	CMA_C1126 - Provide capability to process customer-controlled audit records	Manual, Disabled	1.1.0
Virtual machines should have the Log Analytics extension installed	This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed.	AuditIfNotExists, Disabled	1.0.1

1216.09ab3System.12-09.ab 09.10 Monitoring

ID: 1216.09ab3System.12-09.ab Ownership: Shared

1217.09ab3System.3-09.ab 09.10 Monitoring

ID: 1217.09ab3System.3-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Alert personnel of information spillage	CMA_0007 - Alert personnel of information spillage	Manual, Disabled	1.1.0
Audit Windows machines on which the Log Analytics agent is not connected as expected	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.	auditIfNotExists	2.0.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0

1218.09ab3System.47-09.ab 09.10 Monitoring

ID: 1218.09ab3System.47-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Alert personnel of information spillage	CMA_0007 - Alert personnel of information spillage	Manual, Disabled	1.1.0
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0

1219.09ab3System.10-09.ab 09.10 Monitoring

ID: 1219.09ab3System.10-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'	This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'	AuditIfNotExists, Disabled	1.0.0
Ensure audit records are not altered	CMA_C1125 - Ensure audit records are not altered	Manual, Disabled	1.1.0
Provide audit review, analysis, and reporting capability	CMA_C1124 - Provide audit review, analysis, and reporting capability	Manual, Disabled	1.1.0
Provide capability to process customer-controlled audit records	CMA_C1126 - Provide capability to process customer-controlled audit records	Manual, Disabled	1.1.0

1220.09ab3System.56-09.ab 09.10 Monitoring

ID: 1220.09ab3System.56-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription	To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.	AuditIfNotExists, Disabled	1.0.1
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

1222.09ab3System.8-09.ab 09.10 Monitoring

ID: 1222.09ab3System.8-09.ab Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Alert personnel of information spillage	CMA_0007 - Alert personnel of information spillage	Manual, Disabled	1.1.0
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Disseminate security alerts to personnel	CMA_C1705 - Disseminate security alerts to personnel	Manual, Disabled	1.1.0
Establish a threat intelligence program	CMA_0260 - Establish a threat intelligence program	Manual, Disabled	1.1.0
Generate internal security alerts	CMA_C1704 - Generate internal security alerts	Manual, Disabled	1.1.0
Implement security directives	CMA_C1706 - Implement security directives	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Provide capability to process customer-controlled audit records	CMA_C1126 - Provide capability to process customer-controlled audit records	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0

1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures

ID: 1229.09c1Organizational.1-09.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services	To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.	Audit, Disabled	1.0.3
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures

ID: 1230.09c2Organizational.1-09.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit usage of custom RBAC roles	Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling	Audit, Disabled	1.0.1
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Configure Azure Audit capabilities	CMA_C1108 - Configure Azure Audit capabilities	Manual, Disabled	1.1.1
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures

ID: 1231.09c2Organizational.23-09.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures

ID: 1232.09c3Organizational.12-09.c Ownership: Shared

1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures

ID: 1233.09c3Organizational.3-09.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1270.09ad1System.12-09.ad 09.10 Monitoring

ID: 1270.09ad1System.12-09.ad Ownership: Shared

1271.09ad1System.1-09.ad 09.10 Monitoring

ID: 1271.09ad1System.1-09.ad Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
An activity log alert should exist for specific Administrative operations	This policy audits specific Administrative operations with no activity log alerts configured.	AuditIfNotExists, Disabled	1.0.0
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1271.09ad2System.1 09.10 Monitoring

ID: 1271.09ad2System.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures

ID: 1276.09c2Organizational.2-09.c Ownership: Shared

1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures

ID: 1277.09c2Organizational.4-09.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'Security Options - User Account Control'	Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures

ID: 1278.09c2Organizational.56-09.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures

ID: 1279.09c3Organizational.4-09.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define access authorizations to support separation of duties	CMA_0116 - Define access authorizations to support separation of duties	Manual, Disabled	1.1.0
Document separation of duties	CMA_0204 - Document separation of duties	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

13 Education, Training and Awareness

1301.02e1Organizational.12-02.e 02.03 During Employment

ID: 1301.02e1Organizational.12-02.e Ownership: Shared

1302.02e2Organizational.134-02.e 02.03 During Employment

ID: 1302.02e2Organizational.134-02.e Ownership: Shared

1303.02e2Organizational.2-02.e 02.03 During Employment

ID: 1303.02e2Organizational.2-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

1304.02e3Organizational.1-02.e 02.03 During Employment

ID: 1304.02e3Organizational.1-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Provide contingency training	CMA_0412 - Provide contingency training	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide role-based security training	CMA_C1094 - Provide role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Require developers to provide training	CMA_C1611 - Require developers to provide training	Manual, Disabled	1.1.0
Train personnel on disclosure of nonpublic information	CMA_C1084 - Train personnel on disclosure of nonpublic information	Manual, Disabled	1.1.0

1305.02e3Organizational.23-02.e 02.03 During Employment

ID: 1305.02e3Organizational.23-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Monitor security and privacy training completion	CMA_0379 - Monitor security and privacy training completion	Manual, Disabled	1.1.0
Retain training records	CMA_0456 - Retain training records	Manual, Disabled	1.1.0

1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements

ID: 1306.06e1Organizational.5-06.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Implement formal sanctions process	CMA_0317 - Implement formal sanctions process	Manual, Disabled	1.1.0
Notify personnel upon sanctions	CMA_0380 - Notify personnel upon sanctions	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets

ID: 1307.07c1Organizational.124-07.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code

ID: 1308.09j1Organizational.5-09.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking

ID: 1309.01x1System.36-01.x Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide role-based security training	CMA_C1094 - Provide role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0

1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking

ID: 1310.01y1Organizational.9-01.y Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide role-based practical exercises	CMA_C1096 - Provide role-based practical exercises	Manual, Disabled	1.1.0
Provide role-based security training	CMA_C1094 - Provide role-based security training	Manual, Disabled	1.1.0
Provide role-based training on suspicious activities	CMA_C1097 - Provide role-based training on suspicious activities	Manual, Disabled	1.1.0
Provide security awareness training for insider threats	CMA_0417 - Provide security awareness training for insider threats	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0

1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1311.12c2Organizational.3-12.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Incorporate simulated contingency training	CMA_C1260 - Incorporate simulated contingency training	Manual, Disabled	1.1.0
Provide contingency training	CMA_0412 - Provide contingency training	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0

1313.02e1Organizational.3-02.e 02.03 During Employment

ID: 1313.02e1Organizational.3-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Provide contingency training	CMA_0412 - Provide contingency training	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0

1314.02e2Organizational.5-02.e 02.03 During Employment

ID: 1314.02e2Organizational.5-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

1315.02e2Organizational.67-02.e 02.03 During Employment

ID: 1315.02e2Organizational.67-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide role-based security training	CMA_C1094 - Provide role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0

1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets

ID: 1324.07c1Organizational.3-07.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

1325.09s1Organizational.3-09.s 09.08 Exchange of Information

ID: 1325.09s1Organizational.3-09.s Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop organization code of conduct policy	CMA_0159 - Develop organization code of conduct policy	Manual, Disabled	1.1.0
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Function apps should have remote debugging turned off	Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.	AuditIfNotExists, Disabled	2.0.0
Prohibit unfair practices	CMA_0396 - Prohibit unfair practices	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0
Review and sign revised rules of behavior	CMA_0465 - Review and sign revised rules of behavior	Manual, Disabled	1.1.0
Update rules of behavior and access agreements	CMA_0521 - Update rules of behavior and access agreements	Manual, Disabled	1.1.0
Update rules of behavior and access agreements every 3 years	CMA_0522 - Update rules of behavior and access agreements every 3 years	Manual, Disabled	1.1.0

1327.02e2Organizational.8-02.e 02.03 During Employment

ID: 1327.02e2Organizational.8-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide security awareness training for insider threats	CMA_0417 - Provide security awareness training for insider threats	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0

1331.02e3Organizational.4-02.e 02.03 During Employment

ID: 1331.02e3Organizational.4-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Incorporate simulated events into incident response training	CMA_C1356 - Incorporate simulated events into incident response training	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1334.02e2Organizational.12-02.e 02.03 During Employment

ID: 1334.02e2Organizational.12-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0

1336.02e1Organizational.5-02.e 02.03 During Employment

ID: 1336.02e1Organizational.5-02.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide role-based practical exercises	CMA_C1096 - Provide role-based practical exercises	Manual, Disabled	1.1.0
Provide role-based training on suspicious activities	CMA_C1097 - Provide role-based training on suspicious activities	Manual, Disabled	1.1.0
Provide security awareness training for insider threats	CMA_0417 - Provide security awareness training for insider threats	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0

14 Third Party Assurance

1404.05i2Organizational.1-05.i 05.02 External Parties

ID: 1404.05i2Organizational.1-05.i Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0

1406.05k1Organizational.110-05.k 05.02 External Parties

ID: 1406.05k1Organizational.110-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0

1407.05k2Organizational.1-05.k 05.02 External Parties

ID: 1407.05k2Organizational.1-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Require notification of third-party personnel transfer or termination	CMA_C1532 - Require notification of third-party personnel transfer or termination	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery

ID: 1408.09e1System.1-09.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Require interconnection security agreements	CMA_C1151 - Require interconnection security agreements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Update interconnection security agreements	CMA_0519 - Update interconnection security agreements	Manual, Disabled	1.1.0

1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery

ID: 1409.09e2System.1-09.e Ownership: Shared

1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery

ID: 1410.09e2System.23-09.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0

1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery

ID: 1411.09f1System.1-09.f Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize, monitor, and control voip	CMA_0025 - Authorize, monitor, and control voip	Manual, Disabled	1.1.0
Detect network services that have not been authorized or approved	CMA_C1700 - Detect network services that have not been authorized or approved	Manual, Disabled	1.1.0
Disseminate security alerts to personnel	CMA_C1705 - Disseminate security alerts to personnel	Manual, Disabled	1.1.0
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Establish a threat intelligence program	CMA_0260 - Establish a threat intelligence program	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Route traffic through managed network access points	CMA_0484 - Route traffic through managed network access points	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes

ID: 1416.10l1Organizational.1-10.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0

1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes

ID: 1417.10l2Organizational.1-10.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Require developers to produce evidence of security assessment plan execution	CMA_C1602 - Require developers to produce evidence of security assessment plan execution	Manual, Disabled	1.1.0

1419.05j1Organizational.12-05.j 05.02 External Parties

ID: 1419.05j1Organizational.12-05.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0

1421.05j2Organizational.12-05.j 05.02 External Parties

ID: 1421.05j2Organizational.12-05.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0

1422.05j2Organizational.3-05.j 05.02 External Parties

ID: 1422.05j2Organizational.3-05.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Ensure external providers consistently meet interests of the customers	CMA_C1592 - Ensure external providers consistently meet interests of the customers	Manual, Disabled	1.1.0
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Obtain approvals for acquisitions and outsourcing	CMA_C1590 - Obtain approvals for acquisitions and outsourcing	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

1423.05j2Organizational.4-05.j 05.02 External Parties

ID: 1423.05j2Organizational.4-05.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Employ boundary protection to isolate information systems	CMA_C1639 - Employ boundary protection to isolate information systems	Manual, Disabled	1.1.0
Ensure external providers consistently meet interests of the customers	CMA_C1592 - Ensure external providers consistently meet interests of the customers	Manual, Disabled	1.1.0
Establish terms and conditions for accessing resources	CMA_C1076 - Establish terms and conditions for accessing resources	Manual, Disabled	1.1.0
Establish terms and conditions for processing resources	CMA_C1077 - Establish terms and conditions for processing resources	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Verify security controls for external information systems	CMA_0541 - Verify security controls for external information systems	Manual, Disabled	1.1.0

1424.05j2Organizational.5-05.j 05.02 External Parties

ID: 1424.05j2Organizational.5-05.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accept only FICAM-approved third-party credentials	CMA_C1348 - Accept only FICAM-approved third-party credentials	Manual, Disabled	1.1.0
Accept PIV credentials	CMA_C1347 - Accept PIV credentials	Manual, Disabled	1.1.0
Conform to FICAM-issued profiles	CMA_C1350 - Conform to FICAM-issued profiles	Manual, Disabled	1.1.0
Employ FICAM-approved resources to accept third-party credentials	CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

1429.05k1Organizational.34-05.k 05.02 External Parties

ID: 1429.05k1Organizational.34-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

1430.05k1Organizational.56-05.k 05.02 External Parties

ID: 1430.05k1Organizational.56-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

1431.05k1Organizational.7-05.k 05.02 External Parties

ID: 1431.05k1Organizational.7-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Require notification of third-party personnel transfer or termination	CMA_C1532 - Require notification of third-party personnel transfer or termination	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

1432.05k1Organizational.89-05.k 05.02 External Parties

ID: 1432.05k1Organizational.89-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Clear personnel with access to classified information	CMA_0054 - Clear personnel with access to classified information	Manual, Disabled	1.1.0
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish privacy requirements for contractors and service providers	CMA_C1810 - Establish privacy requirements for contractors and service providers	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Implement personnel screening	CMA_0322 - Implement personnel screening	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery

ID: 1438.09e2System.4-09.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Ensure external providers consistently meet interests of the customers	CMA_C1592 - Ensure external providers consistently meet interests of the customers	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

1450.05i2Organizational.2-05.i 05.02 External Parties

ID: 1450.05i2Organizational.2-05.i Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Enforce SSL connection should be enabled for PostgreSQL database servers	Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.	Audit, Disabled	1.0.1
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Identify incident response personnel	CMA_0301 - Identify incident response personnel	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

1451.05iCSPOrganizational.2-05.i 05.02 External Parties

ID: 1451.05iCSPOrganizational.2-05.i Ownership: Shared

1452.05kCSPOrganizational.1-05.k 05.02 External Parties

ID: 1452.05kCSPOrganizational.1-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0

1453.05kCSPOrganizational.2-05.k 05.02 External Parties

ID: 1453.05kCSPOrganizational.2-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Ensure external providers consistently meet interests of the customers	CMA_C1592 - Ensure external providers consistently meet interests of the customers	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

1454.05kCSPOrganizational.3-05.k 05.02 External Parties

ID: 1454.05kCSPOrganizational.3-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

1455.05kCSPOrganizational.4-05.k 05.02 External Parties

ID: 1455.05kCSPOrganizational.4-05.k Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define and document government oversight	CMA_C1587 - Define and document government oversight	Manual, Disabled	1.1.0
Document third-party personnel security requirements	CMA_C1531 - Document third-party personnel security requirements	Manual, Disabled	1.1.0
Establish third-party personnel security requirements	CMA_C1529 - Establish third-party personnel security requirements	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Require notification of third-party personnel transfer or termination	CMA_C1532 - Require notification of third-party personnel transfer or termination	Manual, Disabled	1.1.0
Require third-party providers to comply with personnel security policies and procedures	CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery

ID: 1464.09e2Organizational.5-09.e Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create separate alternate and primary storage sites	CMA_C1269 - Create separate alternate and primary storage sites	Manual, Disabled	1.1.0
Ensure alternate storage site safeguards are equivalent to primary site	CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Identify and mitigate potential issues at alternate storage site	CMA_C1271 - Identify and mitigate potential issues at alternate storage site	Manual, Disabled	1.1.0
Recover and reconstitute resources after any disruption	CMA_C1295 - Recover and reconstitute resources after any disruption	Manual, Disabled	1.1.1

15 Incident Management

1501.02f1Organizational.123-02.f 02.03 During Employment

ID: 1501.02f1Organizational.123-02.f Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement formal sanctions process	CMA_0317 - Implement formal sanctions process	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Notify personnel upon sanctions	CMA_0380 - Notify personnel upon sanctions	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1503.02f2Organizational.12-02.f 02.03 During Employment

ID: 1503.02f2Organizational.12-02.f Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement formal sanctions process	CMA_0317 - Implement formal sanctions process	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Implement Incident handling capability	CMA_C1367 - Implement Incident handling capability	Manual, Disabled	1.1.0
Notify personnel upon sanctions	CMA_0380 - Notify personnel upon sanctions	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements

ID: 1504.06e1Organizational.34-06.e Ownership: Shared

1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1505.11a1Organizational.13-11.a Ownership: Shared

1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1506.11a1Organizational.2-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Manage contacts for authorities and special interest groups	CMA_0359 - Manage contacts for authorities and special interest groups	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1507.11a1Organizational.4-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1507.11a1Organizational.4-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement an insider threat program	CMA_C1751 - Implement an insider threat program	Manual, Disabled	1.1.0
Implement Incident handling capability	CMA_C1367 - Implement Incident handling capability	Manual, Disabled	1.1.0
Provide security awareness training for insider threats	CMA_0417 - Provide security awareness training for insider threats	Manual, Disabled	1.1.0

1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1508.11a2Organizational.1-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1509.11a2Organizational.236-11.a Ownership: Shared

1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1510.11a2Organizational.47-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain data breach records	CMA_0351 - Maintain data breach records	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Protect incident response plan	CMA_0405 - Protect incident response plan	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1511.11a2Organizational.5-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Incorporate simulated events into incident response training	CMA_C1356 - Incorporate simulated events into incident response training	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1512.11a2Organizational.8-11.a Ownership: Shared

1515.11a3Organizational.3-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1515.11a3Organizational.3-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Identify classes of Incidents and Actions taken	CMA_C1365 - Identify classes of Incidents and Actions taken	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1516.11c1Organizational.12-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain data breach records	CMA_0351 - Maintain data breach records	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Protect incident response plan	CMA_0405 - Protect incident response plan	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1517.11c1Organizational.3-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain data breach records	CMA_0351 - Maintain data breach records	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Protect incident response plan	CMA_0405 - Protect incident response plan	Manual, Disabled	1.1.0

1518.11c2Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1518.11c2Organizational.13-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0

1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1519.11c2Organizational.2-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Integrate Audit record analysis	CMA_C1120 - Integrate Audit record analysis	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Provide capability to process customer-controlled audit records	CMA_C1126 - Provide capability to process customer-controlled audit records	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1520.11c2Organizational.4-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain data breach records	CMA_0351 - Maintain data breach records	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Protect incident response plan	CMA_0405 - Protect incident response plan	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1521.11c2Organizational.56-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1521.11c2Organizational.56-11.c Ownership: Shared

1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1522.11c3Organizational.13-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1523.11c3Organizational.24-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1523.11c3Organizational.24-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document security operations	CMA_0202 - Document security operations	Manual, Disabled	1.1.0
Establish relationship between incident response capability and external providers	CMA_C1376 - Establish relationship between incident response capability and external providers	Manual, Disabled	1.1.0
Identify incident response personnel	CMA_0301 - Identify incident response personnel	Manual, Disabled	1.1.0
Use automated mechanisms for security alerts	CMA_C1707 - Use automated mechanisms for security alerts	Manual, Disabled	1.1.0

1524.11a1Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1524.11a1Organizational.5-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Coordinate with external organizations to achieve cross org perspective	CMA_C1368 - Coordinate with external organizations to achieve cross org perspective	Manual, Disabled	1.1.0
Obtain legal opinion for monitoring system activities	CMA_C1688 - Obtain legal opinion for monitoring system activities	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0

1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1525.11a1Organizational.6-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish information security workforce development and improvement program	CMA_C1752 - Establish information security workforce development and improvement program	Manual, Disabled	1.1.0
Implement an insider threat program	CMA_C1751 - Implement an insider threat program	Manual, Disabled	1.1.0
Implement formal sanctions process	CMA_0317 - Implement formal sanctions process	Manual, Disabled	1.1.0
Implement Incident handling capability	CMA_C1367 - Implement Incident handling capability	Manual, Disabled	1.1.0
Notify personnel upon sanctions	CMA_0380 - Notify personnel upon sanctions	Manual, Disabled	1.1.0
Provide security awareness training for insider threats	CMA_0417 - Provide security awareness training for insider threats	Manual, Disabled	1.1.0

1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements

ID: 1560.11d1Organizational.1-11.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain data breach records	CMA_0351 - Maintain data breach records	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Protect incident response plan	CMA_0405 - Protect incident response plan	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements

ID: 1561.11d2Organizational.14-11.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Review and update incident response policies and procedures	CMA_C1352 - Review and update incident response policies and procedures	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1562.11d2Organizational.2-11.d 11.02 Management of Information Security Incidents and Improvements

ID: 1562.11d2Organizational.2-11.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Address information security issues	CMA_C1742 - Address information security issues	Manual, Disabled	1.1.0
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Identify classes of Incidents and Actions taken	CMA_C1365 - Identify classes of Incidents and Actions taken	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1563.11d2Organizational.3-11.d 11.02 Management of Information Security Incidents and Improvements

ID: 1563.11d2Organizational.3-11.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1577.11aCSPOrganizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses

ID: 1577.11aCSPOrganizational.1-11.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Ensure external providers consistently meet interests of the customers	CMA_C1592 - Ensure external providers consistently meet interests of the customers	Manual, Disabled	1.1.0
Identify incident response personnel	CMA_0301 - Identify incident response personnel	Manual, Disabled	1.1.0

1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1587.11c2Organizational.10-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Maintain data breach records	CMA_0351 - Maintain data breach records	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Protect incident response plan	CMA_0405 - Protect incident response plan	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

1589.11c1Organizational.5-11.c 11.02 Management of Information Security Incidents and Improvements

ID: 1589.11c1Organizational.5-11.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct incident response testing	CMA_0060 - Conduct incident response testing	Manual, Disabled	1.1.0
Incorporate simulated events into incident response training	CMA_C1356 - Incorporate simulated events into incident response training	Manual, Disabled	1.1.0
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

16 Business Continuity & Disaster Recovery

1601.12c1Organizational.1238-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1601.12c1Organizational.1238-12.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Test the business continuity and disaster recovery plan	CMA_0509 - Test the business continuity and disaster recovery plan	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0

1602.12c1Organizational.4567-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1602.12c1Organizational.4567-12.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct capacity planning	CMA_C1252 - Conduct capacity planning	Manual, Disabled	1.1.0
Develop and document a business continuity and disaster recovery plan	CMA_0146 - Develop and document a business continuity and disaster recovery plan	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0

1603.12c1Organizational.9-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1603.12c1Organizational.9-12.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop contingency planning policies and procedures	CMA_0156 - Develop contingency planning policies and procedures	Manual, Disabled	1.1.0
Distribute policies and procedures	CMA_0185 - Distribute policies and procedures	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0

1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1604.12c2Organizational.16789-12.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create separate alternate and primary storage sites	CMA_C1269 - Create separate alternate and primary storage sites	Manual, Disabled	1.1.0
Ensure alternate storage site safeguards are equivalent to primary site	CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site	Manual, Disabled	1.1.0
Establish alternate storage site that facilitates recovery operations	CMA_C1270 - Establish alternate storage site that facilitates recovery operations	Manual, Disabled	1.1.0
Establish alternate storage site to store and retrieve backup information	CMA_C1267 - Establish alternate storage site to store and retrieve backup information	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Establish requirements for internet service providers	CMA_0278 - Establish requirements for internet service providers	Manual, Disabled	1.1.0

1607.12c2Organizational.4-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1607.12c2Organizational.4-12.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0

1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1608.12c2Organizational.5-12.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0
Transfer backup information to an alternate storage site	CMA_C1294 - Transfer backup information to an alternate storage site	Manual, Disabled	1.1.0

1609.12c3Organizational.12-12.c 12.01 Information Security Aspects of Business Continuity Management

ID: 1609.12c3Organizational.12-12.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish requirements for internet service providers	CMA_0278 - Establish requirements for internet service providers	Manual, Disabled	1.1.0

1616.09l1Organizational.16-09.l 09.05 Information Back-Up

ID: 1616.09l1Organizational.16-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases	This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.	AuditIfNotExists, Disabled	2.0.0

1617.09l1Organizational.23-09.l 09.05 Information Back-Up

ID: 1617.09l1Organizational.23-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for MySQL	Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1

1618.09l1Organizational.45-09.l 09.05 Information Back-Up

ID: 1618.09l1Organizational.45-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create separate alternate and primary storage sites	CMA_C1269 - Create separate alternate and primary storage sites	Manual, Disabled	1.1.0
Ensure alternate storage site safeguards are equivalent to primary site	CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site	Manual, Disabled	1.1.0
Establish alternate storage site that facilitates recovery operations	CMA_C1270 - Establish alternate storage site that facilitates recovery operations	Manual, Disabled	1.1.0
Establish alternate storage site to store and retrieve backup information	CMA_C1267 - Establish alternate storage site to store and retrieve backup information	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0

1619.09l1Organizational.7-09.l 09.05 Information Back-Up

ID: 1619.09l1Organizational.7-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish requirements for internet service providers	CMA_0278 - Establish requirements for internet service providers	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB	Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1

1620.09l1Organizational.8-09.l 09.05 Information Back-Up

ID: 1620.09l1Organizational.8-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Backup should be enabled for Virtual Machines	Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.	AuditIfNotExists, Disabled	3.0.0
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0
Transfer backup information to an alternate storage site	CMA_C1294 - Transfer backup information to an alternate storage site	Manual, Disabled	1.1.0

1621.09l2Organizational.1-09.l 09.05 Information Back-Up

ID: 1621.09l2Organizational.1-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases	This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.	AuditIfNotExists, Disabled	2.0.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

1622.09l2Organizational.23-09.l 09.05 Information Back-Up

ID: 1622.09l2Organizational.23-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for MySQL	Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Identify and mitigate potential issues at alternate storage site	CMA_C1271 - Identify and mitigate potential issues at alternate storage site	Manual, Disabled	1.1.0
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0

1623.09l2Organizational.4-09.l 09.05 Information Back-Up

ID: 1623.09l2Organizational.4-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1

1624.09l3Organizational.12-09.l 09.05 Information Back-Up

ID: 1624.09l3Organizational.12-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for MariaDB	Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1

1625.09l3Organizational.34-09.l 09.05 Information Back-Up

ID: 1625.09l3Organizational.34-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Backup should be enabled for Virtual Machines	Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.	AuditIfNotExists, Disabled	3.0.0
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0

1626.09l3Organizational.5-09.l 09.05 Information Back-Up

ID: 1626.09l3Organizational.5-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL	Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1

1627.09l3Organizational.6-09.l 09.05 Information Back-Up

ID: 1627.09l3Organizational.6-09.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Geo-redundant backup should be enabled for Azure Database for MariaDB	Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.	Audit, Disabled	1.0.1
Separately store backup information	CMA_C1293 - Separately store backup information	Manual, Disabled	1.1.0

1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1634.12b1Organizational.1-12.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit virtual machines without disaster recovery configured	Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.	auditIfNotExists	1.0.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Develop contingency planning policies and procedures	CMA_0156 - Develop contingency planning policies and procedures	Manual, Disabled	1.1.0
Distribute policies and procedures	CMA_0185 - Distribute policies and procedures	Manual, Disabled	1.1.0

1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1635.12b1Organizational.2-12.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Azure Key Vault Managed HSM should have purge protection enabled	Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.	Audit, Deny, Disabled	1.0.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Key vaults should have deletion protection enabled	Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default.	Audit, Deny, Disabled	2.1.0
Perform a business impact assessment and application criticality assessment	CMA_0386 - Perform a business impact assessment and application criticality assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0

1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1636.12b2Organizational.1-12.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Perform a business impact assessment and application criticality assessment	CMA_0386 - Perform a business impact assessment and application criticality assessment	Manual, Disabled	1.1.0

1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1637.12b2Organizational.2-12.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0
Windows machines should meet requirements for 'Security Options - Recovery console'	Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.	AuditIfNotExists, Disabled	3.0.0

1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management

ID: 1638.12b2Organizational.345-12.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit virtual machines without disaster recovery configured	Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.	auditIfNotExists	1.0.0
Conduct capacity planning	CMA_C1252 - Conduct capacity planning	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0

1666.12d1Organizational.1235-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1666.12d1Organizational.1235-12.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0

1667.12d1Organizational.4-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1667.12d1Organizational.4-12.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop and document a business continuity and disaster recovery plan	CMA_0146 - Develop and document a business continuity and disaster recovery plan	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0

1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1668.12d1Organizational.67-12.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Establish alternate storage site to store and retrieve backup information	CMA_C1267 - Establish alternate storage site to store and retrieve backup information	Manual, Disabled	1.1.0
Establish an alternate processing site	CMA_0262 - Establish an alternate processing site	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0

1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1669.12d1Organizational.8-12.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Perform a business impact assessment and application criticality assessment	CMA_0386 - Perform a business impact assessment and application criticality assessment	Manual, Disabled	1.1.0
Plan for resumption of essential business functions	CMA_C1253 - Plan for resumption of essential business functions	Manual, Disabled	1.1.0
Provide contingency training	CMA_0412 - Provide contingency training	Manual, Disabled	1.1.0
Test the business continuity and disaster recovery plan	CMA_0509 - Test the business continuity and disaster recovery plan	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0

1670.12d2Organizational.1-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1670.12d2Organizational.1-12.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0

1671.12d2Organizational.2-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1671.12d2Organizational.2-12.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Review contingency plan	CMA_C1247 - Review contingency plan	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0

1672.12d2Organizational.3-12.d 12.01 Information Security Aspects of Business Continuity Management

ID: 1672.12d2Organizational.3-12.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Communicate contingency plan changes	CMA_C1249 - Communicate contingency plan changes	Manual, Disabled	1.1.0
Coordinate contingency plans with related plans	CMA_0086 - Coordinate contingency plans with related plans	Manual, Disabled	1.1.0
Develop contingency plan	CMA_C1244 - Develop contingency plan	Manual, Disabled	1.1.0
Review and update contingency planning policies and procedures	CMA_C1243 - Review and update contingency planning policies and procedures	Manual, Disabled	1.1.0
Update contingency plan	CMA_C1248 - Update contingency plan	Manual, Disabled	1.1.0

17 Risk Management

1704.03b1Organizational.12-03.b 03.01 Risk Management Program

ID: 1704.03b1Organizational.12-03.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

1705.03b2Organizational.12-03.b 03.01 Risk Management Program

ID: 1705.03b2Organizational.12-03.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0

1707.03c1Organizational.12-03.c 03.01 Risk Management Program

ID: 1707.03c1Organizational.12-03.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0

1708.03c2Organizational.12-03.c 03.01 Risk Management Program

ID: 1708.03c2Organizational.12-03.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

17100.10a3Organizational.5 10.01 Security Requirements of Information Systems

ID: 17100.10a3Organizational.5 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0

17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems

ID: 17101.10a3Organizational.6-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Address coding vulnerabilities	CMA_0003 - Address coding vulnerabilities	Manual, Disabled	1.1.0
Develop and document application security requirements	CMA_0148 - Develop and document application security requirements	Manual, Disabled	1.1.0
Establish a secure software development program	CMA_0259 - Establish a secure software development program	Manual, Disabled	1.1.0
Obtain design and implementation information for the security controls	CMA_C1576 - Obtain design and implementation information for the security controls	Manual, Disabled	1.1.1
Obtain functional properties of security controls	CMA_C1575 - Obtain functional properties of security controls	Manual, Disabled	1.1.0
Require developers to implement only approved changes	CMA_C1596 - Require developers to implement only approved changes	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0

17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems

ID: 17120.10a3Organizational.5-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Obtain approvals for acquisitions and outsourcing	CMA_C1590 - Obtain approvals for acquisitions and outsourcing	Manual, Disabled	1.1.0

17126.03c1System.6-03.c 03.01 Risk Management Program

ID: 17126.03c1System.6-03.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0

1713.03c1Organizational.3-03.c 03.01 Risk Management Program

ID: 1713.03c1Organizational.3-03.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define the duties of processors	CMA_0127 - Define the duties of processors	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Evaluate and review PII holdings regularly	CMA_C1832 - Evaluate and review PII holdings regularly	Manual, Disabled	1.1.0
Issue guidelines for ensuring data quality and integrity	CMA_C1824 - Issue guidelines for ensuring data quality and integrity	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Record disclosures of PII to third parties	CMA_0422 - Record disclosures of PII to third parties	Manual, Disabled	1.1.0
Train staff on PII sharing and its consequences	CMA_C1871 - Train staff on PII sharing and its consequences	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

1733.03d1Organizational.1-03.d 03.01 Risk Management Program

ID: 1733.03d1Organizational.1-03.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0

1734.03d2Organizational.1-03.d 03.01 Risk Management Program

ID: 1734.03d2Organizational.1-03.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0

1735.03d2Organizational.23-03.d 03.01 Risk Management Program

ID: 1735.03d2Organizational.23-03.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0

1736.03d2Organizational.4-03.d 03.01 Risk Management Program

ID: 1736.03d2Organizational.4-03.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0

1737.03d2Organizational.5-03.d 03.01 Risk Management Program

ID: 1737.03d2Organizational.5-03.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0

1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems

ID: 1780.10a1Organizational.1-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0

1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems

ID: 1781.10a1Organizational.23-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Develop a concept of operations (CONOPS)	CMA_0141 - Develop a concept of operations (CONOPS)	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0

1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems

ID: 1782.10a1Organizational.4-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

1783.10a1Organizational.56-10.a 10.01 Security Requirements of Information Systems

ID: 1783.10a1Organizational.56-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0

1784.10a1Organizational.7-10.a 10.01 Security Requirements of Information Systems

ID: 1784.10a1Organizational.7-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ FIPS 201-approved technology for PIV	CMA_C1579 - Employ FIPS 201-approved technology for PIV	Manual, Disabled	1.1.0

1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems

ID: 1785.10a1Organizational.8-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Create alternative actions for identified anomalies	CMA_C1711 - Create alternative actions for identified anomalies	Manual, Disabled	1.1.0
Require developers to describe accurate security functionality	CMA_C1613 - Require developers to describe accurate security functionality	Manual, Disabled	1.1.0
Separate user and information system management functionality	CMA_0493 - Separate user and information system management functionality	Manual, Disabled	1.1.0
Use dedicated machines for administrative tasks	CMA_0527 - Use dedicated machines for administrative tasks	Manual, Disabled	1.1.0

1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems

ID: 1786.10a1Organizational.9-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Require developer to identify SDLC ports, protocols, and services	CMA_C1578 - Require developer to identify SDLC ports, protocols, and services	Manual, Disabled	1.1.0

1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems

ID: 1787.10a2Organizational.1-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate privacy controls	CMA_C1817 - Automate privacy controls	Manual, Disabled	1.1.0
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Information security and personal data protection	CMA_0332 - Information security and personal data protection	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0

1788.10a2Organizational.2-10.a 10.01 Security Requirements of Information Systems

ID: 1788.10a2Organizational.2-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Address coding vulnerabilities	CMA_0003 - Address coding vulnerabilities	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and document application security requirements	CMA_0148 - Develop and document application security requirements	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Establish a secure software development program	CMA_0259 - Establish a secure software development program	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to implement only approved changes	CMA_C1596 - Require developers to implement only approved changes	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0

1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems

ID: 1789.10a2Organizational.3-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Develop a concept of operations (CONOPS)	CMA_0141 - Develop a concept of operations (CONOPS)	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0

1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems

ID: 1790.10a2Organizational.45-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Develop a concept of operations (CONOPS)	CMA_0141 - Develop a concept of operations (CONOPS)	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
Review and update the information security architecture	CMA_C1504 - Review and update the information security architecture	Manual, Disabled	1.1.0
Review development process, standards and tools	CMA_C1610 - Review development process, standards and tools	Manual, Disabled	1.1.0

1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems

ID: 1791.10a2Organizational.6-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate flaw remediation	CMA_0027 - Automate flaw remediation	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Govern compliance of cloud service providers	CMA_0290 - Govern compliance of cloud service providers	Manual, Disabled	1.1.0
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems

ID: 1792.10a2Organizational.7814-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define information security roles and responsibilities	CMA_C1565 - Define information security roles and responsibilities	Manual, Disabled	1.1.0
Identify individuals with security roles and responsibilities	CMA_C1566 - Identify individuals with security roles and responsibilities	Manual, Disabled	1.1.1
Implement the risk management strategy	CMA_C1744 - Implement the risk management strategy	Manual, Disabled	1.1.0
Integrate risk management process into SDLC	CMA_C1567 - Integrate risk management process into SDLC	Manual, Disabled	1.1.0

1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems

ID: 1793.10a2Organizational.91011-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0

1794.10a2Organizational.12-10.a 10.01 Security Requirements of Information Systems

ID: 1794.10a2Organizational.12-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Require developers to produce evidence of security assessment plan execution	CMA_C1602 - Require developers to produce evidence of security assessment plan execution	Manual, Disabled	1.1.0

1795.10a2Organizational.13-10.a 10.01 Security Requirements of Information Systems

ID: 1795.10a2Organizational.13-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Address coding vulnerabilities	CMA_0003 - Address coding vulnerabilities	Manual, Disabled	1.1.0
Develop and document application security requirements	CMA_0148 - Develop and document application security requirements	Manual, Disabled	1.1.0
Establish a secure software development program	CMA_0259 - Establish a secure software development program	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to produce evidence of security assessment plan execution	CMA_C1602 - Require developers to produce evidence of security assessment plan execution	Manual, Disabled	1.1.0

1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems

ID: 1796.10a2Organizational.15-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Accept assessment results	CMA_C1150 - Accept assessment results	Manual, Disabled	1.1.0
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Employ independent assessors to conduct security control assessments	CMA_C1148 - Employ independent assessors to conduct security control assessments	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0

1797.10a3Organizational.1-10.a 10.01 Security Requirements of Information Systems

ID: 1797.10a3Organizational.1-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop a concept of operations (CONOPS)	CMA_0141 - Develop a concept of operations (CONOPS)	Manual, Disabled	1.1.0
Develop an enterprise architecture	CMA_C1741 - Develop an enterprise architecture	Manual, Disabled	1.1.0
Require developers to build security architecture	CMA_C1612 - Require developers to build security architecture	Manual, Disabled	1.1.0
Require developers to describe accurate security functionality	CMA_C1613 - Require developers to describe accurate security functionality	Manual, Disabled	1.1.0
Require developers to provide unified security protection approach	CMA_C1614 - Require developers to provide unified security protection approach	Manual, Disabled	1.1.0

1798.10a3Organizational.2-10.a 10.01 Security Requirements of Information Systems

ID: 1798.10a3Organizational.2-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop a concept of operations (CONOPS)	CMA_0141 - Develop a concept of operations (CONOPS)	Manual, Disabled	1.1.0
Develop an enterprise architecture	CMA_C1741 - Develop an enterprise architecture	Manual, Disabled	1.1.0
Require developers to build security architecture	CMA_C1612 - Require developers to build security architecture	Manual, Disabled	1.1.0
Review and update the information security architecture	CMA_C1504 - Review and update the information security architecture	Manual, Disabled	1.1.0

1799.10a3Organizational.34-10.a 10.01 Security Requirements of Information Systems

ID: 1799.10a3Organizational.34-10.a Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Develop a concept of operations (CONOPS)	CMA_0141 - Develop a concept of operations (CONOPS)	Manual, Disabled	1.1.0
Develop an enterprise architecture	CMA_C1741 - Develop an enterprise architecture	Manual, Disabled	1.1.0
Require developers to build security architecture	CMA_C1612 - Require developers to build security architecture	Manual, Disabled	1.1.0
Require developers to describe accurate security functionality	CMA_C1613 - Require developers to describe accurate security functionality	Manual, Disabled	1.1.0
Require developers to provide unified security protection approach	CMA_C1614 - Require developers to provide unified security protection approach	Manual, Disabled	1.1.0
Review and update the information security architecture	CMA_C1504 - Review and update the information security architecture	Manual, Disabled	1.1.0

18 Physical & Environmental Security

1801.08b1Organizational.124-08.b 08.01 Secure Areas

ID: 1801.08b1Organizational.124-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Monitor third-party provider compliance	CMA_C1533 - Monitor third-party provider compliance	Manual, Disabled	1.1.0

1802.08b1Organizational.3-08.b 08.01 Secure Areas

ID: 1802.08b1Organizational.3-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

1803.08b1Organizational.5-08.b 08.01 Secure Areas

ID: 1803.08b1Organizational.5-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate remote maintenance activities	CMA_C1402 - Automate remote maintenance activities	Manual, Disabled	1.1.0
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Produce complete records of remote maintenance activities	CMA_C1403 - Produce complete records of remote maintenance activities	Manual, Disabled	1.1.0

1804.08b2Organizational.12-08.b 08.01 Secure Areas

ID: 1804.08b2Organizational.12-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

1805.08b2Organizational.3-08.b 08.01 Secure Areas

ID: 1805.08b2Organizational.3-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

1806.08b2Organizational.4-08.b 08.01 Secure Areas

ID: 1806.08b2Organizational.4-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

1807.08b2Organizational.56-08.b 08.01 Secure Areas

ID: 1807.08b2Organizational.56-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

1808.08b2Organizational.7-08.b 08.01 Secure Areas

ID: 1808.08b2Organizational.7-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

1810.08b3Organizational.2-08.b 08.01 Secure Areas

ID: 1810.08b3Organizational.2-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

18108.08j1Organizational.1-08.j 08.02 Equipment Security

ID: 18108.08j1Organizational.1-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0

18109.08j1Organizational.4-08.j 08.02 Equipment Security

ID: 18109.08j1Organizational.4-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Designate personnel to supervise unauthorized maintenance activities	CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities	Manual, Disabled	1.1.0
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Maintain list of authorized remote maintenance personnel	CMA_C1420 - Maintain list of authorized remote maintenance personnel	Manual, Disabled	1.1.0
Manage maintenance personnel	CMA_C1421 - Manage maintenance personnel	Manual, Disabled	1.1.0

1811.08b3Organizational.3-08.b 08.01 Secure Areas

ID: 1811.08b3Organizational.3-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

18110.08j1Organizational.5-08.j 08.02 Equipment Security

ID: 18110.08j1Organizational.5-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Implement cryptographic mechanisms	CMA_C1419 - Implement cryptographic mechanisms	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Perform all non-local maintenance	CMA_C1417 - Perform all non-local maintenance	Manual, Disabled	1.1.0

18111.08j1Organizational.6-08.j 08.02 Equipment Security

ID: 18111.08j1Organizational.6-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Provide timely maintenance support	CMA_C1425 - Provide timely maintenance support	Manual, Disabled	1.1.0

18112.08j3Organizational.4-08.j 08.02 Equipment Security

ID: 18112.08j3Organizational.4-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update system maintenance policies and procedures	CMA_C1395 - Review and update system maintenance policies and procedures	Manual, Disabled	1.1.0

1812.08b3Organizational.46-08.b 08.01 Secure Areas

ID: 1812.08b3Organizational.46-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document wireless access security controls	CMA_C1695 - Document wireless access security controls	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0

18127.08l1Organizational.3-08.l 08.02 Equipment Security

ID: 18127.08l1Organizational.3-08.l Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0

1813.08b3Organizational.56-08.b 08.01 Secure Areas

ID: 1813.08b3Organizational.56-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0

18130.09p1Organizational.24-09.p 09.07 Media Handling

ID: 18130.09p1Organizational.24-09.p Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0

1814.08d1Organizational.12-08.d 08.01 Secure Areas

ID: 1814.08d1Organizational.12-08.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement a penetration testing methodology	CMA_0306 - Implement a penetration testing methodology	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

18145.08b3Organizational.7-08.b 08.01 Secure Areas

ID: 18145.08b3Organizational.7-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0

18146.08b3Organizational.8-08.b 08.01 Secure Areas

ID: 18146.08b3Organizational.8-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0

1815.08d2Organizational.123-08.d 08.01 Secure Areas

ID: 1815.08d2Organizational.123-08.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement a penetration testing methodology	CMA_0306 - Implement a penetration testing methodology	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1816.08d2Organizational.4-08.d 08.01 Secure Areas

ID: 1816.08d2Organizational.4-08.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Install an alarm system	CMA_0338 - Install an alarm system	Manual, Disabled	1.1.0
Manage a secure surveillance camera system	CMA_0354 - Manage a secure surveillance camera system	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0

1817.08d3Organizational.12-08.d 08.01 Secure Areas

ID: 1817.08d3Organizational.12-08.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

1818.08d3Organizational.3-08.d 08.01 Secure Areas

ID: 1818.08d3Organizational.3-08.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement a penetration testing methodology	CMA_0306 - Implement a penetration testing methodology	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1819.08j1Organizational.23-08.j 08.02 Equipment Security

ID: 1819.08j1Organizational.23-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate remote maintenance activities	CMA_C1402 - Automate remote maintenance activities	Manual, Disabled	1.1.0
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Designate personnel to supervise unauthorized maintenance activities	CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities	Manual, Disabled	1.1.0
Maintain list of authorized remote maintenance personnel	CMA_C1420 - Maintain list of authorized remote maintenance personnel	Manual, Disabled	1.1.0
Manage maintenance personnel	CMA_C1421 - Manage maintenance personnel	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Produce complete records of remote maintenance activities	CMA_C1403 - Produce complete records of remote maintenance activities	Manual, Disabled	1.1.0

1820.08j2Organizational.1-08.j 08.02 Equipment Security

ID: 1820.08j2Organizational.1-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0

1821.08j2Organizational.3-08.j 08.02 Equipment Security

ID: 1821.08j2Organizational.3-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate remote maintenance activities	CMA_C1402 - Automate remote maintenance activities	Manual, Disabled	1.1.0
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Produce complete records of remote maintenance activities	CMA_C1403 - Produce complete records of remote maintenance activities	Manual, Disabled	1.1.0

1822.08j2Organizational.2-08.j 08.02 Equipment Security

ID: 1822.08j2Organizational.2-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate remote maintenance activities	CMA_C1402 - Automate remote maintenance activities	Manual, Disabled	1.1.0
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0
Produce complete records of remote maintenance activities	CMA_C1403 - Produce complete records of remote maintenance activities	Manual, Disabled	1.1.0

1823.08j3Organizational.12-08.j 08.02 Equipment Security

ID: 1823.08j3Organizational.12-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0

1824.08j3Organizational.3-08.j 08.02 Equipment Security

ID: 1824.08j3Organizational.3-08.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control maintenance and repair activities	CMA_0080 - Control maintenance and repair activities	Manual, Disabled	1.1.0
Manage nonlocal maintenance and diagnostic activities	CMA_0364 - Manage nonlocal maintenance and diagnostic activities	Manual, Disabled	1.1.0

1826.09p1Organizational.1-09.p 09.07 Media Handling

ID: 1826.09p1Organizational.1-09.p Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

1844.08b1Organizational.6-08.b 08.01 Secure Areas

ID: 1844.08b1Organizational.6-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

1845.08b1Organizational.7-08.b 08.01 Secure Areas

ID: 1845.08b1Organizational.7-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

1846.08b2Organizational.8-08.b 08.01 Secure Areas

ID: 1846.08b2Organizational.8-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

1847.08b2Organizational.910-08.b 08.01 Secure Areas

ID: 1847.08b2Organizational.910-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0

1848.08b2Organizational.11-08.b 08.01 Secure Areas

ID: 1848.08b2Organizational.11-08.b Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0

1862.08d1Organizational.3-08.d 08.01 Secure Areas

ID: 1862.08d1Organizational.3-08.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement a penetration testing methodology	CMA_0306 - Implement a penetration testing methodology	Manual, Disabled	1.1.0
Run simulation attacks	CMA_0486 - Run simulation attacks	Manual, Disabled	1.1.0

1862.08d3Organizational.3 08.01 Secure Areas

ID: 1862.08d3Organizational.3 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Implement a penetration testing methodology	CMA_0306 - Implement a penetration testing methodology	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0

1892.01l1Organizational.1 01.04 Network Access Control

ID: 1892.01l1Organizational.1 Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Establish and maintain an asset inventory	CMA_0266 - Establish and maintain an asset inventory	Manual, Disabled	1.1.0

19 Data Protection & Privacy

1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements

ID: 1901.06d1Organizational.1-06.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Manage compliance activities	CMA_0358 - Manage compliance activities	Manual, Disabled	1.1.0

1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements

ID: 1902.06d1Organizational.2-06.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define the duties of processors	CMA_0127 - Define the duties of processors	Manual, Disabled	1.1.0
Document and distribute a privacy policy	CMA_0188 - Document and distribute a privacy policy	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Keep accurate accounting of disclosures of information	CMA_C1818 - Keep accurate accounting of disclosures of information	Manual, Disabled	1.1.0
Make accounting of disclosures available upon request	CMA_C1820 - Make accounting of disclosures available upon request	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Record disclosures of PII to third parties	CMA_0422 - Record disclosures of PII to third parties	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0
Retain accounting of disclosures of information	CMA_C1819 - Retain accounting of disclosures of information	Manual, Disabled	1.1.0
Train staff on PII sharing and its consequences	CMA_C1871 - Train staff on PII sharing and its consequences	Manual, Disabled	1.1.0

1903.06d1Organizational.3456711-06.d 06.01 Compliance with Legal Requirements

ID: 1903.06d1Organizational.3456711-06.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Notify users of system logon or access	CMA_0382 - Notify users of system logon or access	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0

1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements

ID: 1904.06.d2Organizational.1-06.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

1906.06.c1Organizational.2-06.c 06.01 Compliance with Legal Requirements

ID: 1906.06.c1Organizational.2-06.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Make SORNs available publicly	CMA_C1865 - Make SORNs available publicly	Manual, Disabled	1.1.0
Provide formal notice to individuals	CMA_C1864 - Provide formal notice to individuals	Manual, Disabled	1.1.0
Provide privacy notice to the public and to individuals	CMA_C1861 - Provide privacy notice to the public and to individuals	Manual, Disabled	1.1.0
Publish SORNs for systems containing PII	CMA_C1862 - Publish SORNs for systems containing PII	Manual, Disabled	1.1.0

1907.06.c1Organizational.3-06.c 06.01 Compliance with Legal Requirements

ID: 1907.06.c1Organizational.3-06.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Keep SORNs updated	CMA_C1863 - Keep SORNs updated	Manual, Disabled	1.1.0
Make SORNs available publicly	CMA_C1865 - Make SORNs available publicly	Manual, Disabled	1.1.0
Provide formal notice to individuals	CMA_C1864 - Provide formal notice to individuals	Manual, Disabled	1.1.0
Publish SORNs for systems containing PII	CMA_C1862 - Publish SORNs for systems containing PII	Manual, Disabled	1.1.0

1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements

ID: 1908.06.c1Organizational.4-06.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Keep SORNs updated	CMA_C1863 - Keep SORNs updated	Manual, Disabled	1.1.0
Make SORNs available publicly	CMA_C1865 - Make SORNs available publicly	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Provide formal notice to individuals	CMA_C1864 - Provide formal notice to individuals	Manual, Disabled	1.1.0
Publish SORNs for systems containing PII	CMA_C1862 - Publish SORNs for systems containing PII	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements

ID: 1911.06d1Organizational.13-06.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Establish terms and conditions for processing resources	CMA_C1077 - Establish terms and conditions for processing resources	Manual, Disabled	1.1.0
Evaluate and review PII holdings regularly	CMA_C1832 - Evaluate and review PII holdings regularly	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Remove or redact any PII	CMA_C1833 - Remove or redact any PII	Manual, Disabled	1.1.0

19134.05j1Organizational.5-05.j 05.02 External Parties

ID: 19134.05j1Organizational.5-05.j Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Designate authorized personnel to post publicly accessible information	CMA_C1083 - Designate authorized personnel to post publicly accessible information	Manual, Disabled	1.1.0
Develop and establish a system security plan	CMA_0151 - Develop and establish a system security plan	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish security requirements for the manufacturing of connected devices	CMA_0279 - Establish security requirements for the manufacturing of connected devices	Manual, Disabled	1.1.0
Implement security engineering principles of information systems	CMA_0325 - Implement security engineering principles of information systems	Manual, Disabled	1.1.0
Information security and personal data protection	CMA_0332 - Information security and personal data protection	Manual, Disabled	1.1.0
Manage compliance activities	CMA_0358 - Manage compliance activities	Manual, Disabled	1.1.0
Review content prior to posting publicly accessible information	CMA_C1085 - Review content prior to posting publicly accessible information	Manual, Disabled	1.1.0
Review publicly accessible content for nonpublic information	CMA_C1086 - Review publicly accessible content for nonpublic information	Manual, Disabled	1.1.0
Train personnel on disclosure of nonpublic information	CMA_C1084 - Train personnel on disclosure of nonpublic information	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements

ID: 19141.06c1Organizational.7-06.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Implement transaction based recovery	CMA_C1296 - Implement transaction based recovery	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements

ID: 19142.06c1Organizational.8-06.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Control use of portable storage devices	CMA_0083 - Control use of portable storage devices	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Restrict media use	CMA_0450 - Restrict media use	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements

ID: 19143.06c1Organizational.9-06.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0
Categorize information	CMA_0052 - Categorize information	Manual, Disabled	1.1.0
Develop business classification schemes	CMA_0155 - Develop business classification schemes	Manual, Disabled	1.1.0
Develop SSP that meets criteria	CMA_C1492 - Develop SSP that meets criteria	Manual, Disabled	1.1.0
Ensure security categorization is approved	CMA_C1540 - Ensure security categorization is approved	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0

19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements

ID: 19144.06c2Organizational.1-06.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements

ID: 19145.06c2Organizational.2-06.c Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Conduct backup of information system documentation	CMA_C1289 - Conduct backup of information system documentation	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements

ID: 19242.06d1Organizational.14-06.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Evaluate and review PII holdings regularly	CMA_C1832 - Evaluate and review PII holdings regularly	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Remove or redact any PII	CMA_C1833 - Remove or redact any PII	Manual, Disabled	1.1.0

19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements

ID: 19243.06d1Organizational.15-06.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate privacy controls	CMA_C1817 - Automate privacy controls	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Evaluate and review PII holdings regularly	CMA_C1832 - Evaluate and review PII holdings regularly	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Information security and personal data protection	CMA_0332 - Information security and personal data protection	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Remove or redact any PII	CMA_C1833 - Remove or redact any PII	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0

19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements

ID: 19245.06d2Organizational.2-06.d Ownership: Shared

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Confirm quality and integrity of PII	CMA_C1821 - Confirm quality and integrity of PII	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Evaluate and review PII holdings regularly	CMA_C1832 - Evaluate and review PII holdings regularly	Manual, Disabled	1.1.0
Issue guidelines for ensuring data quality and integrity	CMA_C1824 - Issue guidelines for ensuring data quality and integrity	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Publish Computer Matching Agreements on public website	CMA_C1829 - Publish Computer Matching Agreements on public website	Manual, Disabled	1.1.0

Next steps

Additional articles about Azure Policy:

Regulatory Compliance overview.
See the initiative definition structure.
Review other examples at Azure Policy samples.
Review Understanding policy effects.
Learn how to remediate non-compliant resources.

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Adjust level of audit review, analysis, and reporting	CMA_C1123 - Adjust level of audit review, analysis, and reporting	Manual, Disabled	1.1.0
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Govern and monitor audit processing activities	CMA_0289 - Govern and monitor audit processing activities	Manual, Disabled	1.1.0
Integrate Audit record analysis	CMA_C1120 - Integrate Audit record analysis	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0
Specify permitted actions associated with customer audit information	CMA_C1122 - Specify permitted actions associated with customer audit information	Manual, Disabled	1.1.0

Name _{(Azure portal)}	Description	Effect(s)	Version _(GitHub)
Automate approval request for proposed changes	CMA_C1192 - Automate approval request for proposed changes	Manual, Disabled	1.1.0
Automate implementation of approved change notifications	CMA_C1196 - Automate implementation of approved change notifications	Manual, Disabled	1.1.0
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Govern compliance of cloud service providers	CMA_0290 - Govern compliance of cloud service providers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0
Require developers to document approved changes and potential impact	CMA_C1597 - Require developers to document approved changes and potential impact	Manual, Disabled	1.1.0
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0
Retain previous versions of baseline configs	CMA_C1181 - Retain previous versions of baseline configs	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0