last sync: 2024-Jun-13 18:14:14 UTC

Distribute authenticators | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Distribute authenticators
Id 098dcde7-016a-06c3-0985-0daaf3301d3a
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0184 - Distribute authenticators
Additional metadata Name/Id: CMA_0184 / CMA_0184
Category: Operational
Title: Distribute authenticators
Ownership: Customer
Description: Microsoft recommends that your organization enforce the following requirement: users who register to receive authenticators (e.g., passwords, tokens, smart cards, PKI certificates, etc.) do so in-person or by trusted third-party registration in compliance with your organization's policies and requirements. Customers using Active Directory Federation Services leverage existing user accounts for their internal domain infrastructures and do not need to create additional authenticators specific to Azure. Microsoft recommends that your organization create and maintain Identification and Authentication policies and standard operating procedures that require users who register to receive authenticators (e.g., passwords, tokens, smart cards, PKI certificates, etc.) do so in-person or by trusted third-party registration in compliance with your organization's policies and requirements. NIST 800-63C recommends using a secure method of transferring keying information during the registration process to establish and exchange the keying information needed to operate the federated relationship. The framework also recommends ensuring that symmetric keys are unique to a pair of federation participants.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Distribute authenticators' (098dcde7-016a-06c3-0985-0daaf3301d3a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IA-5(3) FedRAMP_High_R4_IA-5(3) FedRAMP High IA-5 (3) Identification And Authentication In-Person Or Trusted Third-Party Registration Shared n/a The organization requires that the registration process to receive [Assignment: organization- defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. link 1
FedRAMP_Moderate_R4 IA-5(3) FedRAMP_Moderate_R4_IA-5(3) FedRAMP Moderate IA-5 (3) Identification And Authentication In-Person Or Trusted Third-Party Registration Shared n/a The organization requires that the registration process to receive [Assignment: organization- defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. link 1
hipaa 0948.09y2Organizational.3-09.y hipaa-0948.09y2Organizational.3-09.y 0948.09y2Organizational.3-09.y 09 Transmission Protection 0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services Shared n/a Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process. 6
hipaa 1112.01b2System.2-01.b hipaa-1112.01b2System.2-01.b 1112.01b2System.2-01.b 11 Access Control 1112.01b2System.2-01.b 01.02 Authorized Access to Information Systems Shared n/a User identities are verified in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor or other individual defined in an applicable security plan) prior to receiving a hardware token. 7
hipaa 1127.01q2System.3-01.q hipaa-1127.01q2System.3-01.q 1127.01q2System.3-01.q 11 Access Control 1127.01q2System.3-01.q 01.05 Operating System Access Control Shared n/a Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. 2
NIST_SP_800-53_R4 IA-5(3) NIST_SP_800-53_R4_IA-5(3) NIST SP 800-53 Rev. 4 IA-5 (3) Identification And Authentication In-Person Or Trusted Third-Party Registration Shared n/a The organization requires that the registration process to receive [Assignment: organization- defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. link 1
PCI_DSS_v4.0 8.3.11 PCI_DSS_v4.0_8.3.11 PCI DSS v4.0 8.3.11 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used: • Factors are assigned to an individual user and not shared among multiple users. • Physical and/or logical controls ensure only the intended user can use that factor to gain access. link 6
SWIFT_CSCF_v2022 5.2 SWIFT_CSCF_v2022_5.2 SWIFT CSCF v2022 5.2 5. Manage Identities and Segregate Privileges Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used). Shared n/a Connected and disconnected hardware authentication or personal tokens are managed appropriately during their assignment, distribution, revocation, use, and storage. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 098dcde7-016a-06c3-0985-0daaf3301d3a
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC