last sync: 2024-May-24 18:03:04 UTC

Obtain design and implementation information for the security controls | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Obtain design and implementation information for the security controls
Id 22a02c9a-49e4-5dc9-0d14-eb35ad717154
Version 1.1.1
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1576 - Obtain design and implementation information for the security controls
Additional metadata Name/Id: CMA_C1576 / CMA_C1576
Category: Documentation
Title: Obtain design and implementation information for the security controls
Ownership: Customer
Description: The customer is responsible for obtaining design and implementation information for the security controls to be employed from the developer of the corresponding customer-deployed resource(s), that includes: security-relevant external system interfaces; high-level design; low-level design; source code schematics; and any customer-defined design/implementation information at an organization-defined level of detail in the design and implementation information. Note: Microsoft Azure hosts the customer-deployed system. The customer can find a description of the security controls employed by Azure below.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 7 compliance controls are associated with this Policy definition 'Obtain design and implementation information for the security controls' (22a02c9a-49e4-5dc9-0d14-eb35ad717154)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-4(2) FedRAMP_High_R4_SA-4(2) FedRAMP High SA-4 (2) System And Services Acquisition Design / Implementation Information For Security Controls Shared n/a The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. Supplemental Guidance: Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. link 1
FedRAMP_Moderate_R4 SA-4(2) FedRAMP_Moderate_R4_SA-4(2) FedRAMP Moderate SA-4 (2) System And Services Acquisition Design / Implementation Information For Security Controls Shared n/a The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. Supplemental Guidance: Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. link 1
hipaa 17101.10a3Organizational.6-10.a hipaa-17101.10a3Organizational.6-10.a 17101.10a3Organizational.6-10.a 17 Risk Management 17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization requires the developer of the information system, system component, or information system service to provide specific control design and implementation information. 7
NIST_SP_800-53_R4 SA-4(2) NIST_SP_800-53_R4_SA-4(2) NIST SP 800-53 Rev. 4 SA-4 (2) System And Services Acquisition Design / Implementation Information For Security Controls Shared n/a The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. Supplemental Guidance: Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. link 1
NIST_SP_800-53_R5 SA-4(2) NIST_SP_800-53_R5_SA-4(2) NIST SP 800-53 Rev. 5 SA-4 (2) System and Services Acquisition Design and Implementation Information for Controls Shared n/a Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Selection (OneOrMore): security-relevant external system interfaces;high-level design;low-level design;source code or hardware schematics; [Assignment: organization-defined design and implementation information] ] at [Assignment: organization-defined level of detail]. link 1
PCI_DSS_v4.0 12.8.2 PCI_DSS_v4.0_12.8.2 PCI DSS v4.0 12.8.2 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a Written agreements with TPSPs are maintained as follows: • Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. • Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. link 15
PCI_DSS_v4.0 12.8.5 PCI_DSS_v4.0_12.8.5 PCI DSS v4.0 12.8.5 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. link 13
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-10-21 16:42:13 change Patch (1.1.0 > 1.1.1)
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 22a02c9a-49e4-5dc9-0d14-eb35ad717154
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC