last sync: 2024-Jun-13 18:14:14 UTC

Employ independent assessors for continuous monitoring | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Employ independent assessors for continuous monitoring
Id 3baee3fd-30f5-882c-018c-cc78703a0106
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1168 - Employ independent assessors for continuous monitoring
Additional metadata Name/Id: CMA_C1168 / CMA_C1168
Category: Documentation
Title: Employ independent assessors for continuous monitoring
Ownership: Customer
Description: The customer is responsible for employing independent assessors or assessment teams to monitor security controls for customer-deployed resources on an ongoing basis.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 6 compliance controls are associated with this Policy definition 'Employ independent assessors for continuous monitoring' (3baee3fd-30f5-882c-018c-cc78703a0106)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CA-7(1) FedRAMP_High_R4_CA-7(1) FedRAMP High CA-7 (1) Security Assessment And Authorization Independent Assessment Shared n/a The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. Supplemental Guidance: Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. link 1
FedRAMP_Moderate_R4 CA-7(1) FedRAMP_Moderate_R4_CA-7(1) FedRAMP Moderate CA-7 (1) Security Assessment And Authorization Independent Assessment Shared n/a The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. Supplemental Guidance: Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. link 1
hipaa 0604.06g2Organizational.2-06.g hipaa-0604.06g2Organizational.2-06.g 0604.06g2Organizational.2-06.g 06 Configuration Management 0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a The organization has developed a continuous monitoring strategy and implemented a continuous monitoring program. 7
hipaa 068.06g2Organizational.34-06.g hipaa-068.06g2Organizational.34-06.g 068.06g2Organizational.34-06.g 06 Configuration Management 068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a The organization employs assessors or assessment teams with a level of independence appropriate to its continuous monitoring strategy to monitor the security controls in the information system on an ongoing basis. 6
NIST_SP_800-53_R4 CA-7(1) NIST_SP_800-53_R4_CA-7(1) NIST SP 800-53 Rev. 4 CA-7 (1) Security Assessment And Authorization Independent Assessment Shared n/a The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. Supplemental Guidance: Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. link 1
NIST_SP_800-53_R5 CA-7(1) NIST_SP_800-53_R5_CA-7(1) NIST SP 800-53 Rev. 5 CA-7 (1) Assessment, Authorization, and Monitoring Independent Assessment Shared n/a Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. link 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 3baee3fd-30f5-882c-018c-cc78703a0106
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC