last sync: 2024-Oct-07 17:51:17 UTC

Support personal verification credentials issued by legal authorities | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Support personal verification credentials issued by legal authorities
Id 1d39b5d9-0392-8954-8359-575ce1957d1a
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0507 - Support personal verification credentials issued by legal authorities
Additional metadata Name/Id: CMA_0507 / CMA_0507
Category: Operational
Title: Support personal verification credentials issued by legal authorities
Ownership: Customer
Description: Microsoft recommends that your organization implement authentication mechanisms that accept and electronically verify any personal verification credentials issued by a legal authority or agency and that are in use by your organization. It is recommended that your organization create and maintain Identification and Authentication policies and standard operating procedures that document your organization's use of credentials approved by legal authorities or agencies. This can enable your organization to ensure that these credentials are only used in compliance with the authority's rules.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 40 compliance controls are associated with this Policy definition 'Support personal verification credentials issued by legal authorities' (1d39b5d9-0392-8954-8359-575ce1957d1a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 9.1 CIS_Azure_1.1.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.3.0 9.1 CIS_Azure_1.3.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set on Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_1.4.0 9.1 CIS_Azure_1.4.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 AppService Ensure App Service Authentication is set up for apps in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. link 5
CIS_Azure_2.0.0 9.1 CIS_Azure_2.0.0_9.1 CIS Microsoft Azure Foundations Benchmark recommendation 9.1 9 Ensure App Service Authentication is set up for apps in Azure App Service Shared This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable. Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication. Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. link 5
FedRAMP_High_R4 IA-2 FedRAMP_High_R4_IA-2 FedRAMP High IA-2 Identification And Authentication Identification And Authentication (Organizational Users) Shared n/a The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). Supplemental Guidance: Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization- controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8. References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov. link 10
FedRAMP_High_R4 IA-2(12) FedRAMP_High_R4_IA-2(12) FedRAMP High IA-2 (12) Identification And Authentication Acceptance Of Piv Credentials Shared n/a The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. link 1
FedRAMP_Moderate_R4 IA-2 FedRAMP_Moderate_R4_IA-2 FedRAMP Moderate IA-2 Identification And Authentication Identification And Authentication (Organizational Users) Shared n/a The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). Supplemental Guidance: Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization- controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8. References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov. link 10
FedRAMP_Moderate_R4 IA-2(12) FedRAMP_Moderate_R4_IA-2(12) FedRAMP Moderate IA-2 (12) Identification And Authentication Acceptance Of Piv Credentials Shared n/a The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. link 1
hipaa 0830.09m3Organizational.1012-09.m hipaa-0830.09m3Organizational.1012-09.m 0830.09m3Organizational.1012-09.m 08 Network Protection 0830.09m3Organizational.1012-09.m 09.06 Network Security Management Shared n/a A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. 8
hipaa 0870.09m3Organizational.20-09.m hipaa-0870.09m3Organizational.20-09.m 0870.09m3Organizational.20-09.m 08 Network Protection 0870.09m3Organizational.20-09.m 09.06 Network Security Management Shared n/a Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. 8
hipaa 0927.09v1Organizational.3-09.v hipaa-0927.09v1Organizational.3-09.v 0927.09v1Organizational.3-09.v 09 Transmission Protection 0927.09v1Organizational.3-09.v 09.08 Exchange of Information Shared n/a Stronger levels of authentication are implemented to control access from publicly accessible networks. 4
hipaa 11109.01q1Organizational.57-01.q hipaa-11109.01q1Organizational.57-01.q 11109.01q1Organizational.57-01.q 11 Access Control 11109.01q1Organizational.57-01.q 01.05 Operating System Access Control Shared n/a The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. 7
hipaa 1121.01j3Organizational.2-01.j hipaa-1121.01j3Organizational.2-01.j 1121.01j3Organizational.2-01.j 11 Access Control 1121.01j3Organizational.2-01.j 01.04 Network Access Control Shared n/a Remote administration sessions are authorized, encrypted, and employ increased security measures. 11
hipaa 1122.01q1System.1-01.q hipaa-1122.01q1System.1-01.q 1122.01q1System.1-01.q 11 Access Control 1122.01q1System.1-01.q 01.05 Operating System Access Control Shared n/a Unique IDs that can be used to trace activities to the responsible individual are required for all types of organizational and non-organizational users. 7
hipaa 1125.01q2System.1-01.q hipaa-1125.01q2System.1-01.q 1125.01q2System.1-01.q 11 Access Control 1125.01q2System.1-01.q 01.05 Operating System Access Control Shared n/a Multi-factor authentication methods are used in accordance with organizational policy (e.g., for remote network access). 4
hipaa 1175.01j1Organizational.8-01.j hipaa-1175.01j1Organizational.8-01.j 1175.01j1Organizational.8-01.j 11 Access Control 1175.01j1Organizational.8-01.j 01.04 Network Access Control Shared n/a Remote access to business information across public networks only takes place after successful identification and authentication. 5
hipaa 1178.01j2Organizational.7-01.j hipaa-1178.01j2Organizational.7-01.j 1178.01j2Organizational.7-01.j 11 Access Control 1178.01j2Organizational.7-01.j 01.04 Network Access Control Shared n/a Node authentication, including cryptographic techniques (e.g., machine certificates), can serve as an alternative means of authenticating groups of remote users where they are connected to a secure, shared computer facility. 4
hipaa 1424.05j2Organizational.5-05.j hipaa-1424.05j2Organizational.5-05.j 1424.05j2Organizational.5-05.j 14 Third Party Assurance 1424.05j2Organizational.5-05.j 05.02 External Parties Shared n/a The organization has a formal mechanism to authenticate the customer's identity prior to granting access to covered information. 8
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.9.1.2 ISO27001-2013_A.9.1.2 ISO 27001:2013 A.9.1.2 Access Control Access to networks and network services Shared n/a Users shall only be provided with access to the network and network services that they have been specifically authorized to use. link 29
ISO27001-2013 A.9.2.1 ISO27001-2013_A.9.2.1 ISO 27001:2013 A.9.2.1 Access Control User registration and de-registration Shared n/a A formal user registration and de-registration process shall be implemented to enable assignment of access rights. link 27
ISO27001-2013 A.9.4.2 ISO27001-2013_A.9.4.2 ISO 27001:2013 A.9.4.2 Access Control Secure log-on procedures Shared n/a Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. link 17
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-171_R2_3 .5.1 NIST_SP_800-171_R2_3.5.1 NIST SP 800-171 R2 3.5.1 Identification and Authentication Identify system users, processes acting on behalf of users, and devices. Shared Microsoft and the customer share responsibilities for implementing this requirement. Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. link 9
NIST_SP_800-53_R4 IA-2 NIST_SP_800-53_R4_IA-2 NIST SP 800-53 Rev. 4 IA-2 Identification And Authentication Identification And Authentication (Organizational Users) Shared n/a The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). Supplemental Guidance: Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization- controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8. References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov. link 10
NIST_SP_800-53_R4 IA-2(12) NIST_SP_800-53_R4_IA-2(12) NIST SP 800-53 Rev. 4 IA-2 (12) Identification And Authentication Acceptance Of Piv Credentials Shared n/a The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. link 1
NIST_SP_800-53_R5 IA-2 NIST_SP_800-53_R5_IA-2 NIST SP 800-53 Rev. 5 IA-2 Identification and Authentication Identification and Authentication (organizational Users) Shared n/a Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. link 10
NIST_SP_800-53_R5 IA-2(12) NIST_SP_800-53_R5_IA-2(12) NIST SP 800-53 Rev. 5 IA-2 (12) Identification and Authentication Acceptance of PIV Credentials Shared n/a Accept and electronically verify Personal Identity Verification-compliant credentials. link 1
op.acc.1 Identification op.acc.1 Identification 404 not found n/a n/a 66
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 64
op.acc.5 Authentication mechanism (external users) op.acc.5 Authentication mechanism (external users) 404 not found n/a n/a 72
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
PCI_DSS_v4.0 8.2.1 PCI_DSS_v4.0_8.2.1 PCI DSS v4.0 8.2.1 Requirement 08: Identify Users and Authenticate Access to System Components User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle Shared n/a All users are assigned a unique ID before access to system components or cardholder data is allowed. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 1d39b5d9-0392-8954-8359-575ce1957d1a
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC