| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-12 |
FedRAMP_High_R4_SA-12 |
FedRAMP High SA-12 |
System And Services Acquisition |
Supply Chain Protection |
Shared |
n/a |
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information
system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-
4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7.
References: NIST Special Publication 800-161; NIST Interagency Report 7622. |
link |
4 |
| FedRAMP_High_R4 |
SA-9(1) |
FedRAMP_High_R4_SA-9(1) |
FedRAMP High SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
| FedRAMP_Moderate_R4 |
SA-9(1) |
FedRAMP_Moderate_R4_SA-9(1) |
FedRAMP Moderate SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
| hipaa |
1450.05i2Organizational.2-05.i |
hipaa-1450.05i2Organizational.2-05.i |
1450.05i2Organizational.2-05.i |
14 Third Party Assurance |
1450.05i2Organizational.2-05.i 05.02 External Parties |
Shared |
n/a |
The organization obtains satisfactory assurances that reasonable information security exists across its information supply chain by performing an annual review, which includes all partners/third-party providers upon which their information supply chain depends. |
|
10 |
| hipaa |
1451.05iCSPOrganizational.2-05.i |
hipaa-1451.05iCSPOrganizational.2-05.i |
1451.05iCSPOrganizational.2-05.i |
14 Third Party Assurance |
1451.05iCSPOrganizational.2-05.i 05.02 External Parties |
Shared |
n/a |
Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. |
|
21 |
| hipaa |
1453.05kCSPOrganizational.2-05.k |
hipaa-1453.05kCSPOrganizational.2-05.k |
1453.05kCSPOrganizational.2-05.k |
14 Third Party Assurance |
1453.05kCSPOrganizational.2-05.k 05.02 External Parties |
Shared |
n/a |
Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. |
|
10 |
| hipaa |
1454.05kCSPOrganizational.3-05.k |
hipaa-1454.05kCSPOrganizational.3-05.k |
1454.05kCSPOrganizational.3-05.k |
14 Third Party Assurance |
1454.05kCSPOrganizational.3-05.k 05.02 External Parties |
Shared |
n/a |
Service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream) are reviewed consistently and no less than annually to identify any non-conformance to established agreements. The reviews result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships. |
|
8 |
| hipaa |
17120.10a3Organizational.5-10.a |
hipaa-17120.10a3Organizational.5-10.a |
17120.10a3Organizational.5-10.a |
17 Risk Management |
17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization documents all existing outsourced information services and conducts an organizational assessment of risk prior to the acquisition or outsourcing of information services. |
|
10 |
| ISO27001-2013 |
A.14.2.7 |
ISO27001-2013_A.14.2.7 |
ISO 27001:2013 A.14.2.7 |
System Acquisition, Development And Maintenance |
Outsourced development |
Shared |
n/a |
The organization shall supervise and monitor the activity of outsourced system development. |
link |
28 |
| ISO27001-2013 |
A.15.1.1 |
ISO27001-2013_A.15.1.1 |
ISO 27001:2013 A.15.1.1 |
Supplier Relationships |
Information security policy for supplier relationships |
Shared |
n/a |
Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented. |
link |
6 |
| ISO27001-2013 |
A.15.1.2 |
ISO27001-2013_A.15.1.2 |
ISO 27001:2013 A.15.1.2 |
Supplier Relationships |
Addressing security within supplier agreement |
Shared |
n/a |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. |
link |
24 |
| ISO27001-2013 |
A.15.1.3 |
ISO27001-2013_A.15.1.3 |
ISO 27001:2013 A.15.1.3 |
Supplier Relationships |
Information and communication technology supply chain |
Shared |
n/a |
Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.11.1 |
NIST_SP_800-171_R2_3.11.1 |
NIST SP 800-171 R2 3.11.1 |
Risk Assessment |
Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle. [SP 800-30] provides guidance on conducting risk assessments. |
link |
2 |
| NIST_SP_800-53_R4 |
SA-12 |
NIST_SP_800-53_R4_SA-12 |
NIST SP 800-53 Rev. 4 SA-12 |
System And Services Acquisition |
Supply Chain Protection |
Shared |
n/a |
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information
system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-
4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7.
References: NIST Special Publication 800-161; NIST Interagency Report 7622. |
link |
4 |
| NIST_SP_800-53_R4 |
SA-9(1) |
NIST_SP_800-53_R4_SA-9(1) |
NIST SP 800-53 Rev. 4 SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
| NIST_SP_800-53_R5 |
SA-9(1) |
NIST_SP_800-53_R5_SA-9(1) |
NIST SP 800-53 Rev. 5 SA-9 (1) |
System and Services Acquisition |
Risk Assessments and Organizational Approvals |
Shared |
n/a |
(a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and
(b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. |
link |
2 |
| PCI_DSS_v4.0 |
12.8.3 |
PCI_DSS_v4.0_12.8.3 |
PCI DSS v4.0 12.8.3 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. |
link |
5 |
| PCI_DSS_v4.0 |
12.8.4 |
PCI_DSS_v4.0_12.8.4 |
PCI DSS v4.0 12.8.4 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. |
link |
8 |
| SOC_2 |
CC3.4 |
SOC_2_CC3.4 |
SOC 2 Type 2 CC3.4 |
Risk Assessment |
COSO Principle 9 |
Shared |
The customer is responsible for implementing this recommendation. |
• Assesses Changes in the External Environment — The risk identification process
considers changes to the regulatory, economic, and physical environment in which
the entity operates.
• Assesses Changes in the Business Model — The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business
lines, acquired or divested business operations on the system of internal control,
rapid growth, changing reliance on foreign geographies, and new technologies.
• Assesses Changes in Leadership — The entity considers changes in management
and respective attitudes and philosophies on the system of internal control.
Page 25
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
Additional point of focus specifically related to all engagements using the trust services criteria:
• Assesses Changes in Systems and Technology — The risk identification process
considers changes arising from changes in the entity’s systems and changes in the
technology environment.
• Assesses Changes in Vendor and Business Partner Relationships — The risk identification process considers changes in vendor and business partner relationships |
|
6 |
| SOC_2 |
CC9.2 |
SOC_2_CC9.2 |
SOC 2 Type 2 CC9.2 |
Risk Mitigation |
Vendors and business partners risk management |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement
that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
• Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic
basis, the risks that vendors and business partners (and those entities’ vendors and
business partners) represent to the achievement of the entity's objectives.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The
entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners.
• Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner
relationships.
Additional points of focus that apply only to an engagement using the trust services criteria for
confidentiality:
• Obtains Confidentiality Commitments from Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
• Assesses Compliance With Confidentiality Commitments of Vendors and Business
Partners — On a periodic and as-needed basis, the entity assesses compliance by
vendors and business partners with the entity’s confidentiality commitments and requirements.
Additional points of focus that apply only to an engagement using the trust services criteria for
privacy:
• Obtains Privacy Commitments from Vendors and Business Partners — The entity
obtains privacy commitments, consistent with the entity’s privacy commitments and
requirements, from vendors and business partners who have access to personal information.
• Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors
and business partners with the entity’s privacy commitments and requirements and
takes corrective action as necessary |
|
20 |
| SWIFT_CSCF_v2022 |
2.8.5 |
SWIFT_CSCF_v2022_2.8.5 |
SWIFT CSCF v2022 2.8.5 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure a consistent and effective approach for the customers’ messaging monitoring. |
Shared |
n/a |
Ensure a consistent and effective approach for the customers’ messaging monitoring. |
link |
8 |