compliance controls are associated with this Policy definition 'Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities' (3cf2ab00-13f1-4d0c-8971-2ac904541a7e)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| ACAT_Security_Policies |
|
ACAT_Security_Policies |
ACAT Security Policies |
Guidelines for M365 Certification |
Protecting systems and resources
|
Shared |
n/a |
Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. |
link |
16 |
| AU_ISM |
1139 |
AU_ISM_1139 |
AU ISM 1139 |
Guidelines for Cryptography - Transport Layer Security |
Using Transport Layer Security - 1139 |
|
n/a |
Only the latest version of TLS is used. |
link |
6 |
| AU_ISM |
1277 |
AU_ISM_1277 |
AU ISM 1277 |
Guidelines for Database Systems - Database servers |
Communications between database servers and web servers - 1277 |
|
n/a |
Data communicated between database servers and web applications is encrypted. |
link |
6 |
| AU_ISM |
1503 |
AU_ISM_1503 |
AU ISM 1503 |
Guidelines for Personnel Security - Access to systems and their resources |
Standard access to systems - 1503 |
|
n/a |
Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. |
link |
6 |
| AU_ISM |
1507 |
AU_ISM_1507 |
AU ISM 1507 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 1507 |
|
n/a |
Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis. |
link |
4 |
| AU_ISM |
1508 |
AU_ISM_1508 |
AU ISM 1508 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 1508 |
|
n/a |
Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. |
link |
7 |
| AU_ISM |
1546 |
AU_ISM_1546 |
AU ISM 1546 |
Guidelines for System Hardening - Authentication hardening |
Authenticating to systems - 1546 |
|
n/a |
Users are authenticated before they are granted access to a system and its resources. |
link |
7 |
| AU_ISM |
415 |
AU_ISM_415 |
AU ISM 415 |
Guidelines for Personnel Security - Access to systems and their resources |
User identification - 415 |
|
n/a |
The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable. |
link |
4 |
| AU_ISM |
421 |
AU_ISM_421 |
AU ISM 421 |
Guidelines for System Hardening - Authentication hardening |
Single-factor authentication - 421 |
|
n/a |
Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. |
link |
4 |
| AU_ISM |
445 |
AU_ISM_445 |
AU ISM 445 |
Guidelines for Personnel Security - Access to systems and their resources |
Privileged access to systems - 445 |
|
n/a |
Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access. |
link |
4 |
| Azure_Security_Benchmark_v1.0 |
1.11 |
Azure_Security_Benchmark_v1.0_1.11 |
Azure Security Benchmark 1.11 |
Network Security |
Use automated tools to monitor network resource configurations and detect changes |
Customer |
Use Azure Policy to validate (and/or remediate) configuration for network resources.
How to configure and manage Azure Policy:
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Azure Policy samples for networking:
https://docs.microsoft.com/azure/governance/policy/samples/#network |
n/a |
link |
7 |
| CCCS |
AC-17(1) |
CCCS_AC-17(1) |
CCCS AC-17(1) |
Access Control |
Remote Access | Automated Monitoring / Control |
|
n/a |
The information system monitors and controls remote access methods. |
link |
7 |
| CCCS |
AC-5 |
CCCS_AC-5 |
CCCS AC-5 |
Access Control |
Separation of Duties |
|
n/a |
(A) The organization:
(a) Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions;
(b) Documents separation of duties of individuals; and
(c) Defines information system access authorizations to support separation of duties. |
link |
7 |
| CCCS |
AC-6 |
CCCS_AC-6 |
CCCS AC-6 |
Access Control |
Least Privilege |
|
n/a |
(A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
link |
7 |
| CCCS |
IA-5 |
CCCS_IA-5 |
CCCS IA-5 |
Identification and Authentication |
Authenticator Management |
|
n/a |
(A) The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.
(B) The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization.
(C) The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.
(D) The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators.
(E) The organization manages information system authenticators by changing the default content of authenticators prior to information system installation.
(F) The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators.
(G) The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031.
(H) The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification.
(I) The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators.
(J) The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. |
link |
5 |
| CCCS |
IA-5(1) |
CCCS_IA-5(1) |
CCCS IA-5(1) |
Identification and Authentication |
Authenticator Management | Password-Based Authentication |
|
n/a |
(a) The information system, for password-based authentication, enforces minimum password complexity of case sensitive, minimum of eight characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters;
(b) The information system, for password-based authentication, enforces that at least one of the characters are changed when new passwords are created;
(c) The information system, for password-based authentication, stores and transmits only cryptographically-protected passwords;
(d) The information system, for password-based authentication, enforces password minimum and maximum lifetime restrictions of one-day minimum, sixty-day maximum;
(e) The information system, for password-based authentication prohibits password reuse for 24 generations; and
(f) The information system, for password-based authentication allows the use of a temporary password for system logons with an immediate change to a permanent password. |
link |
8 |
| CMMC_2.0_L2 |
AC.L1-3.1.1 |
CMMC_2.0_L2_AC.L1-3.1.1 |
404 not found |
|
|
|
n/a |
n/a |
|
54 |
| CMMC_2.0_L2 |
AC.L2-3.1.12 |
CMMC_2.0_L2_AC.L2-3.1.12 |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
| CMMC_2.0_L2 |
CM.L2-3.4.1 |
CMMC_2.0_L2_CM.L2-3.4.1 |
404 not found |
|
|
|
n/a |
n/a |
|
25 |
| CMMC_2.0_L2 |
CM.L2-3.4.2 |
CMMC_2.0_L2_CM.L2-3.4.2 |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| CMMC_2.0_L2 |
IA.L1-3.5.2 |
CMMC_2.0_L2_IA.L1-3.5.2 |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
| CMMC_2.0_L2 |
IA.L2-3.5.10 |
CMMC_2.0_L2_IA.L2-3.5.10 |
404 not found |
|
|
|
n/a |
n/a |
|
7 |
| CMMC_2.0_L2 |
IA.L2-3.5.7 |
CMMC_2.0_L2_IA.L2-3.5.7 |
404 not found |
|
|
|
n/a |
n/a |
|
5 |
| CMMC_2.0_L2 |
IA.L2-3.5.8 |
CMMC_2.0_L2_IA.L2-3.5.8 |
404 not found |
|
|
|
n/a |
n/a |
|
4 |
| CMMC_2.0_L2 |
SC.L2-3.13.8 |
CMMC_2.0_L2_SC.L2-3.13.8 |
404 not found |
|
|
|
n/a |
n/a |
|
16 |
| CMMC_L3 |
AC.1.001 |
CMMC_L3_AC.1.001 |
CMMC L3 AC.1.001 |
Access Control |
Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement AC.1.002. |
link |
31 |
| CMMC_L3 |
AC.2.013 |
CMMC_L3_AC.2.013 |
CMMC L3 AC.2.013 |
Access Control |
Monitor and control remote access sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code.
Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). |
link |
10 |
| CMMC_L3 |
AC.3.021 |
CMMC_L3_AC.3.021 |
CMMC L3 AC.3.021 |
Access Control |
Authorize remote execution of privileged commands and remote access to security-relevant information. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Securityrelevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself. |
link |
10 |
| CMMC_L3 |
IA.1.077 |
CMMC_L3_IA.1.077 |
CMMC L3 IA.1.077 |
Identification and Authentication |
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk.
Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. |
link |
6 |
| CMMC_L3 |
IA.2.078 |
CMMC_L3_IA.2.078 |
CMMC L3 IA.2.078 |
Identification and Authentication |
Enforce a minimum password complexity and change of characters when new passwords are created. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. |
link |
7 |
| CMMC_L3 |
IA.2.079 |
CMMC_L3_IA.2.079 |
CMMC L3 IA.2.079 |
Identification and Authentication |
Prohibit password reuse for a specified number of generations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Password lifetime restrictions do not apply to temporary passwords. |
link |
5 |
| CMMC_L3 |
IA.2.081 |
CMMC_L3_IA.2.081 |
CMMC L3 IA.2.081 |
Identification and Authentication |
Store and transmit only cryptographically-protected passwords. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. |
link |
5 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
309 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
309 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
309 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
309 |
| FedRAMP_High_R4 |
AC-17 |
FedRAMP_High_R4_AC-17 |
FedRAMP High AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
| FedRAMP_High_R4 |
AC-17(1) |
FedRAMP_High_R4_AC-17(1) |
FedRAMP High AC-17 (1) |
Access Control |
Automated Monitoring / Control |
Shared |
n/a |
The information system monitors and controls remote access methods.
Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
link |
37 |
| FedRAMP_High_R4 |
AC-3 |
FedRAMP_High_R4_AC-3 |
FedRAMP High AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| FedRAMP_High_R4 |
IA-5 |
FedRAMP_High_R4_IA-5 |
FedRAMP High IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| FedRAMP_High_R4 |
IA-5(1) |
FedRAMP_High_R4_IA-5(1) |
FedRAMP High IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| FedRAMP_Moderate_R4 |
AC-17 |
FedRAMP_Moderate_R4_AC-17 |
FedRAMP Moderate AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
| FedRAMP_Moderate_R4 |
AC-17(1) |
FedRAMP_Moderate_R4_AC-17(1) |
FedRAMP Moderate AC-17 (1) |
Access Control |
Automated Monitoring / Control |
Shared |
n/a |
The information system monitors and controls remote access methods.
Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
link |
37 |
| FedRAMP_Moderate_R4 |
AC-3 |
FedRAMP_Moderate_R4_AC-3 |
FedRAMP Moderate AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| FedRAMP_Moderate_R4 |
IA-5 |
FedRAMP_Moderate_R4_IA-5 |
FedRAMP Moderate IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| FedRAMP_Moderate_R4 |
IA-5(1) |
FedRAMP_Moderate_R4_IA-5(1) |
FedRAMP Moderate IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| IRS_1075_9.3 |
.1.12 |
IRS_1075_9.3.1.12 |
IRS 1075 9.3.1.12 |
Access Control |
Remote Access (AC-17) |
|
n/a |
The agency must:
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed
b. Authorize remote access to the information system prior to allowing such connections
c. Authorize and document the execution of privileged commands and access to security-relevant information via remote access for compelling operational needs only (CE4)
The information system must:
a. Monitor and control remote access methods (CE1)
b. Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions where FTI is transmitted over the remote connection and (CE2)
c. Route all remote accesses through a limited number of managed network access control points (CE3)
Remote access is defined as any access to an agency information system by a user communicating through an external network, for example, the Internet.
Any remote access where FTI is accessed over the remote connection must be performed using multi-factor authentication.
FTI cannot be accessed remotely by agency employees, agents, representatives, or contractors located offshore--outside of the United States territories, embassies, or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by IT systems located offshore. |
link |
7 |
| IRS_1075_9.3 |
.1.5 |
IRS_1075_9.3.1.5 |
IRS 1075 9.3.1.5 |
Access Control |
Separation of Duties (AC-5) |
|
n/a |
The agency must:
a. Separate duties of individuals to prevent harmful activity without collusion
b. Document separation of duties of individuals
c. Define information system access authorizations to support separation of duties |
link |
7 |
| IRS_1075_9.3 |
.1.6 |
IRS_1075_9.3.1.6 |
IRS 1075 9.3.1.6 |
Access Control |
Least Privilege (AC-6) |
|
n/a |
The agency must:
a. Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with agency missions and business functions
b. Explicitly authorize access to FTI (CE1)
c. Require that users of information system accounts, or roles, with access to FTI, use non-privileged accounts or roles when accessing non-security functions (CE2)
d. Restrict privileged accounts on the information system to a limited number of individuals with a need to perform administrative duties (CE5)
The information system must:
a. Audit the execution of privileged functions (CE9)
b. Prevent non-privileged users from executing privileged functions; including disabling, circumventing, or altering implemented security safeguards/countermeasures (CE10) |
link |
7 |
| IRS_1075_9.3 |
.16.6 |
IRS_1075_9.3.16.6 |
IRS 1075 9.3.16.6 |
System and Communications Protection |
Transmission Confidentiality and Integrity (SC-8) |
|
n/a |
Information systems that receive, process, store, or transmit FTI, must:
a. Protect the confidentiality and integrity of transmitted information
b. Implement FIPS 140-2 cryptographic mechanisms to prevent unauthorized disclosure of FTI and detect changes to information during transmission across the wide area network (WAN) and within the local area network (LAN) (CE1)
The agency must ensure that all network infrastructure, access points, wiring, conduits, and cabling are within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and monitor for suspicious network traffic. For physical security protections of transmission medium, see Section 9.3.11.4, Access Control for Transmission Medium (PE-4).
This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax machines). |
link |
8 |
| IRS_1075_9.3 |
.7.5 |
IRS_1075_9.3.7.5 |
IRS 1075 9.3.7.5 |
Identification and Authentication |
Authenticator Management (IA-5) |
|
n/a |
The agency must manage information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator
b. Establishing initial authenticator content for authenticators defined by the agency
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators
e. Changing default content of authenticators prior to information system installation
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators
g. Changing/refreshing authenticators
h. Protecting authenticator content from unauthorized disclosure and modification
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators
j. Changing authenticators for group/role accounts when membership to those accounts changes
The information system must, for password-based authentication:
a. Enforce minimum password complexity of:
1. Eight characters
2. At least one numeric and at least one special character
3. A mixture of at least one uppercase and at least one lowercase letter
4. Storing and transmitting only encrypted representations of passwords
b. Enforce password minimum lifetime restriction of one day
c. Enforce non-privileged account passwords to be changed at least every 90 days
d. Enforce privileged account passwords to be changed at least every 60 days
e. Prohibit password reuse for 24 generations
f. Allow the use of a temporary password for system logon requiring an immediate change to a permanent password
g. Password-protect system initialization (boot) settings |
link |
12 |
| ISO27001-2013 |
A.10.1.1 |
ISO27001-2013_A.10.1.1 |
ISO 27001:2013 A.10.1.1 |
Cryptography |
Policy on the use of cryptographic controls |
Shared |
n/a |
A policy on the use of cryptographic controls for protection of information shall be developed and implemented. |
link |
17 |
| ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
| ISO27001-2013 |
A.9.2.4 |
ISO27001-2013_A.9.2.4 |
ISO 27001:2013 A.9.2.4 |
Access Control |
Management of secret authentication information of users |
Shared |
n/a |
The allocation of secret authentication information shall be controlled through a formal management process. |
link |
18 |
| ISO27001-2013 |
A.9.4.3 |
ISO27001-2013_A.9.4.3 |
ISO 27001:2013 A.9.4.3 |
Access Control |
Password management system |
Shared |
n/a |
Password management systems shall be interactive and shall ensure quality password. |
link |
22 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
|
mp.si.4 Transport |
mp.si.4 Transport |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
| NIS2 |
DP._Data_Protection_8 |
NIS2_DP._Data_Protection_8 |
NIS2_DP._Data_Protection_8 |
DP. Data Protection |
Policies and procedures regarding the use of cryptography and, where appropriate, encryption |
|
n/a |
In order to safeguard the security of public electronic communications networks and publicly available electronic communications services, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services in accordance with the principles of security and privacy by default and by design for the purposes of this Directive. The use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications. |
|
32 |
| NIST_SP_800-171_R2_3 |
.1.1 |
NIST_SP_800-171_R2_3.1.1 |
NIST SP 800-171 R2 3.1.1 |
Access Control |
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. |
link |
52 |
| NIST_SP_800-171_R2_3 |
.1.12 |
NIST_SP_800-171_R2_3.1.12 |
NIST SP 800-171 R2 3.1.12 |
Access Control |
Monitor and control remote access sessions. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks. |
link |
36 |
| NIST_SP_800-171_R2_3 |
.5.10 |
NIST_SP_800-171_R2_3.5.10 |
NIST SP 800-171 R2 3.5.10 |
Identification and Authentication |
Store and transmit only cryptographically-protected passwords. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO]. |
link |
9 |
| NIST_SP_800-171_R2_3 |
.5.2 |
NIST_SP_800-171_R2_3.5.2 |
NIST SP 800-171 R2 3.5.2 |
Identification and Authentication |
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. [SP 800-63-3] provides guidance on digital identities. |
link |
21 |
| NIST_SP_800-171_R2_3 |
.5.7 |
NIST_SP_800-171_R2_3.5.7 |
NIST SP 800-171 R2 3.5.7 |
Identification and Authentication |
Enforce a minimum password complexity and change of characters when new passwords are created. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. |
link |
8 |
| NIST_SP_800-171_R2_3 |
.5.8 |
NIST_SP_800-171_R2_3.5.8 |
NIST SP 800-171 R2 3.5.8 |
Identification and Authentication |
Prohibit password reuse for a specified number of generations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Password lifetime restrictions do not apply to temporary passwords |
link |
4 |
| NIST_SP_800-53_R4 |
AC-17 |
NIST_SP_800-53_R4_AC-17 |
NIST SP 800-53 Rev. 4 AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. |
link |
41 |
| NIST_SP_800-53_R4 |
AC-17(1) |
NIST_SP_800-53_R4_AC-17(1) |
NIST SP 800-53 Rev. 4 AC-17 (1) |
Access Control |
Automated Monitoring / Control |
Shared |
n/a |
The information system monitors and controls remote access methods.
Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
link |
37 |
| NIST_SP_800-53_R4 |
AC-3 |
NIST_SP_800-53_R4_AC-3 |
NIST SP 800-53 Rev. 4 AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.
References: None. |
link |
18 |
| NIST_SP_800-53_R4 |
IA-5 |
NIST_SP_800-53_R4_IA-5 |
NIST SP 800-53 Rev. 4 IA-5 |
Identification And Authentication |
Authenticator Management |
Shared |
n/a |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.
References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance |
link |
18 |
| NIST_SP_800-53_R4 |
IA-5(1) |
NIST_SP_800-53_R4_IA-5(1) |
NIST SP 800-53 Rev. 4 IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
| NIST_SP_800-53_R5 |
AC-17 |
NIST_SP_800-53_R5_AC-17 |
NIST SP 800-53 Rev. 5 AC-17 |
Access Control |
Remote Access |
Shared |
n/a |
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections. |
link |
41 |
| NIST_SP_800-53_R5 |
AC-17(1) |
NIST_SP_800-53_R5_AC-17(1) |
NIST SP 800-53 Rev. 5 AC-17 (1) |
Access Control |
Monitoring and Control |
Shared |
n/a |
Employ automated mechanisms to monitor and control remote access methods. |
link |
37 |
| NIST_SP_800-53_R5 |
AC-3 |
NIST_SP_800-53_R5_AC-3 |
NIST SP 800-53 Rev. 5 AC-3 |
Access Control |
Access Enforcement |
Shared |
n/a |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
link |
18 |
| NIST_SP_800-53_R5 |
IA-5 |
NIST_SP_800-53_R5_IA-5 |
NIST SP 800-53 Rev. 5 IA-5 |
Identification and Authentication |
Authenticator Management |
Shared |
n/a |
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts changes. |
link |
18 |
| NIST_SP_800-53_R5 |
IA-5(1) |
NIST_SP_800-53_R5_IA-5(1) |
NIST SP 800-53 Rev. 5 IA-5 (1) |
Identification and Authentication |
Password-based Authentication |
Shared |
n/a |
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. |
link |
15 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
63 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
69 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
75 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
| PCI_DSS_V3.2.1 |
8.2.3 |
PCI_DSS_v3.2.1_8.2.3 |
PCI DSS v3.2.1 8.2.3 |
Requirement 8 |
PCI DSS requirement 8.2.3 |
customer |
n/a |
n/a |
link |
6 |
| PCI_DSS_V3.2.1 |
8.2.5 |
PCI_DSS_v3.2.1_8.2.5 |
PCI DSS v3.2.1 8.2.5 |
Requirement 8 |
PCI DSS requirement 8.2.5 |
customer |
n/a |
n/a |
link |
6 |
| PCI_DSS_v4.0 |
8.3.6 |
PCI_DSS_v4.0_8.3.6 |
PCI DSS v4.0 8.3.6 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Strong authentication for users and administrators is established and managed |
Shared |
n/a |
If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
• A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).
• Contain both numeric and alphabetic characters. |
link |
9 |
| SWIFT_CSCF_v2021 |
6.4 |
SWIFT_CSCF_v2021_6.4 |
SWIFT CSCF v2021 6.4 |
Detect Anomalous Activity to Systems or Transaction Records |
Logging and Monitoring |
|
n/a |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
link |
31 |
| SWIFT_CSCF_v2022 |
2.2 |
SWIFT_CSCF_v2022_2.2 |
SWIFT CSCF v2022 2.2 |
2. Reduce Attack Surface and Vulnerabilities |
Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. |
Shared |
n/a |
All hardware and software inside the secure zone and on operator PCs are within the support life cycle of the vendor, have been upgraded with mandatory software updates, and have had security updates promptly applied. |
link |
9 |
| SWIFT_CSCF_v2022 |
2.3 |
SWIFT_CSCF_v2022_2.3 |
SWIFT CSCF v2022 2.3 |
2. Reduce Attack Surface and Vulnerabilities |
Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. |
Shared |
n/a |
Security hardening is conducted and maintained on all in-scope components. |
link |
25 |
| SWIFT_CSCF_v2022 |
2.6 |
SWIFT_CSCF_v2022_2.6 |
SWIFT CSCF v2022 2.6 |
2. Reduce Attack Surface and Vulnerabilities |
Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications |
Shared |
n/a |
The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. |
link |
17 |
| SWIFT_CSCF_v2022 |
4.1 |
SWIFT_CSCF_v2022_4.1 |
SWIFT CSCF v2022 4.1 |
4. Prevent Compromise of Credentials |
Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. |
Shared |
n/a |
All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. |
link |
17 |
| SWIFT_CSCF_v2022 |
5.1 |
SWIFT_CSCF_v2022_5.1 |
SWIFT CSCF v2022 5.1 |
5. Manage Identities and Segregate Privileges |
Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
Shared |
n/a |
Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. |
link |
35 |
| SWIFT_CSCF_v2022 |
6.4 |
SWIFT_CSCF_v2022_6.4 |
SWIFT CSCF v2022 6.4 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
Shared |
n/a |
Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. |
link |
49 |
| UK_NCSC_CSP |
10 |
UK_NCSC_CSP_10 |
UK NCSC CSP 10 |
Identity and authentication |
Identity and authentication |
Shared |
n/a |
All access to service interfaces should be constrained to authenticated and authorised individuals. |
link |
22 |