| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
1.11 |
Azure_Security_Benchmark_v1.0_1.11 |
Azure Security Benchmark 1.11 |
Network Security |
Use automated tools to monitor network resource configurations and detect changes |
Customer |
Use Azure Policy to validate (and/or remediate) configuration for network resources.
How to configure and manage Azure Policy:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Azure Policy samples for networking:
https://docs.microsoft.com/azure/governance/policy/samples/#network |
n/a |
link |
7 |
| CMMC_2.0_L2 |
IA.L2-3.5.10 |
CMMC_2.0_L2_IA.L2-3.5.10 |
404 not found |
|
|
|
n/a |
n/a |
|
7 |
| CMMC_2.0_L2 |
IA.L2-3.5.4 |
CMMC_2.0_L2_IA.L2-3.5.4 |
404 not found |
|
|
|
n/a |
n/a |
|
1 |
| CMMC_L3 |
AC.1.001 |
CMMC_L3_AC.1.001 |
CMMC L3 AC.1.001 |
Access Control |
Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement AC.1.002. |
link |
32 |
| CMMC_L3 |
AC.2.013 |
CMMC_L3_AC.2.013 |
CMMC L3 AC.2.013 |
Access Control |
Monitor and control remote access sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code.
Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). |
link |
10 |
| CMMC_L3 |
CM.2.064 |
CMMC_L3_CM.2.064 |
CMMC L3 CM.2.064 |
Configuration Management |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.
Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. |
link |
10 |
| CMMC_L3 |
IA.1.077 |
CMMC_L3_IA.1.077 |
CMMC L3 IA.1.077 |
Identification and Authentication |
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk.
Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. |
link |
9 |
| CMMC_L3 |
IA.2.078 |
CMMC_L3_IA.2.078 |
CMMC L3 IA.2.078 |
Identification and Authentication |
Enforce a minimum password complexity and change of characters when new passwords are created. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. |
link |
7 |
| CMMC_L3 |
IA.2.079 |
CMMC_L3_IA.2.079 |
CMMC L3 IA.2.079 |
Identification and Authentication |
Prohibit password reuse for a specified number of generations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Password lifetime restrictions do not apply to temporary passwords. |
link |
5 |
| CMMC_L3 |
IA.2.081 |
CMMC_L3_IA.2.081 |
CMMC L3 IA.2.081 |
Identification and Authentication |
Store and transmit only cryptographically-protected passwords. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. |
link |
5 |
| CMMC_L3 |
SC.1.175 |
CMMC_L3_SC.1.175 |
CMMC L3 SC.1.175 |
System and Communications Protection |
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. |
link |
32 |
| CMMC_L3 |
SC.3.183 |
CMMC_L3_SC.3.183 |
CMMC L3 SC.3.183 |
System and Communications Protection |
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. |
link |
32 |
| NIST_SP_800-171_R2_3 |
.5.10 |
NIST_SP_800-171_R2_3.5.10 |
NIST SP 800-171 R2 3.5.10 |
Identification and Authentication |
Store and transmit only cryptographically-protected passwords. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO]. |
link |
9 |
| NIST_SP_800-171_R2_3 |
.5.4 |
NIST_SP_800-171_R2_3.5.4 |
NIST SP 800-171 R2 3.5.4 |
Identification and Authentication |
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. [SP 800-63-3] provides guidance on digital identities. |
link |
1 |