| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| AU_ISM |
1490 |
AU_ISM_1490 |
AU ISM 1490 |
Guidelines for System Hardening - Operating system hardening |
Application control - 1490 |
|
n/a |
Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. |
link |
1 |
| Azure_Security_Benchmark_v1.0 |
6.10 |
Azure_Security_Benchmark_v1.0_6.10 |
Azure Security Benchmark 6.10 |
Inventory and Asset Management |
Implement approved application list |
Customer |
Use Azure Security Center Adaptive Application Controls to specify which file types a rule may or may not apply to.
Implement third party solution if this does not meet the requirement.
How to use Azure Security Center Adaptive Application Controls:
https://docs.microsoft.com/azure/security-center/security-center-adaptive-application |
n/a |
link |
1 |
| Azure_Security_Benchmark_v1.0 |
6.8 |
Azure_Security_Benchmark_v1.0_6.8 |
Azure Security Benchmark 6.8 |
Inventory and Asset Management |
Use only approved applications |
Customer |
Use Azure Security Center Adaptive Application Controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
How to use Azure Security Center Adaptive Application Controls:
https://docs.microsoft.com/azure/security-center/security-center-adaptive-application |
n/a |
link |
1 |
| Azure_Security_Benchmark_v2.0 |
AM-6 |
Azure_Security_Benchmark_v2.0_AM-6 |
Azure Security Benchmark AM-6 |
Asset Management |
Use only approved applications in compute resources |
Customer |
Ensure that only authorized software executes, and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Security Center (ASC) adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure Portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.
You can also use a third-party solution to discover and identify unapproved software.
How to use Azure Security Center adaptive application controls: https://docs.microsoft.com/azure/security-center/security-center-adaptive-application
Understand Azure Automation Change Tracking and Inventory: https://docs.microsoft.com/azure/automation/change-tracking
How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 |
n/a |
link |
1 |
| Azure_Security_Benchmark_v3.0 |
AM-5 |
Azure_Security_Benchmark_v3.0_AM-5 |
Azure Security Benchmark AM-5 |
Asset Management |
Use only approved applications in virtual machine |
Shared |
**Security Principle:**
Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment.
**Azure Guidance:**
Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software executes and all unauthorized software is blocked from executing on Azure Virtual Machines.
Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to Log Analytics workspace.
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources.
You can also use a third-party solution to discover and identify unapproved software.
**Implementation and additional context:**
How to use Microsoft Defender for Cloud adaptive application controls:
https://docs.microsoft.com/azure/security-center/security-center-adaptive-application
Understand Azure Automation Change Tracking and Inventory:
https://docs.microsoft.com/azure/automation/change-tracking
How to control PowerShell script execution in Windows environments:
https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6 |
n/a |
link |
2 |
| CCCS |
CM-11 |
CCCS_CM-11 |
CCCS CM-11 |
Configuration Management |
User-Installed Software |
|
n/a |
(A) The organization establishes organization-defined policies governing the installation of software by users.
(B) The organization enforces software installation policies through organization-defined methods.
(C) The organization monitors policy compliance continuously via 7(5). |
link |
1 |
| CCCS |
CM-7(5) |
CCCS_CM-7(5) |
CCCS CM-7(5) |
Configuration Management |
Least Functionality | Authorized Software / Whitelisting |
|
n/a |
(a) The organization identifie authorized software programs in baseline configuration and information system component inventory;
(b) The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) The organization reviews and updates the list of authorized software programs at least annually or when there is a change. |
link |
1 |
| CIS_Azure_1.1.0 |
2.13 |
CIS_Azure_1.1.0_2.13 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.13 |
2 Security Center |
Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable adaptive application controls. |
link |
1 |
| CMMC_2.0_L2 |
CM.L2-3.4.6 |
CMMC_2.0_L2_CM.L2-3.4.6 |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
| CMMC_2.0_L2 |
CM.L2-3.4.7 |
CMMC_2.0_L2_CM.L2-3.4.7 |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
| CMMC_2.0_L2 |
CM.L2-3.4.8 |
CMMC_2.0_L2_CM.L2-3.4.8 |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
| CMMC_2.0_L2 |
CM.L2-3.4.9 |
CMMC_2.0_L2_CM.L2-3.4.9 |
404 not found |
|
|
|
n/a |
n/a |
|
2 |
| CMMC_L3 |
CA.2.158 |
CMMC_L3_CA.2.158 |
CMMC L3 CA.2.158 |
Security Assessment |
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans.
Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.
Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle. |
link |
10 |
| CMMC_L3 |
CA.3.161 |
CMMC_L3_CA.3.161 |
CMMC L3 CA.3.161 |
Security Assessment |
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions.
Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. |
link |
10 |
| CMMC_L3 |
CM.2.061 |
CMMC_L3_CM.2.061 |
CMMC L3 CM.2.061 |
Configuration Management |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration
Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. |
link |
3 |
| CMMC_L3 |
CM.2.063 |
CMMC_L3_CM.2.063 |
CMMC L3 CM.2.063 |
Configuration Management |
Control and monitor user-installed software. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. |
link |
4 |
| CMMC_L3 |
CM.3.068 |
CMMC_L3_CM.3.068 |
CMMC L3 CM.3.068 |
Configuration Management |
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. |
link |
25 |
| CMMC_L3 |
CM.3.069 |
CMMC_L3_CM.3.069 |
CMMC L3 CM.3.069 |
Configuration Management |
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. |
link |
1 |
| FedRAMP_High_R4 |
CM-10 |
FedRAMP_High_R4_CM-10 |
FedRAMP High CM-10 |
Configuration Management |
Software Usage Restrictions |
Shared |
n/a |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7.
References: None. |
link |
4 |
| FedRAMP_High_R4 |
CM-11 |
FedRAMP_High_R4_CM-11 |
FedRAMP High CM-11 |
Configuration Management |
User-Installed Software |
Shared |
n/a |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
References: None. |
link |
2 |
| FedRAMP_High_R4 |
CM-7 |
FedRAMP_High_R4_CM-7 |
FedRAMP High CM-7 |
Configuration Management |
Least Functionality |
Shared |
n/a |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.
References: DoD Instruction 8551.01. |
link |
3 |
| FedRAMP_High_R4 |
CM-7(2) |
FedRAMP_High_R4_CM-7(2) |
FedRAMP High CM-7 (2) |
Configuration Management |
Prevent Program Execution |
Shared |
n/a |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Supplemental Guidance: Related controls: CM-8, PM-5. |
link |
2 |
| FedRAMP_High_R4 |
CM-7(5) |
FedRAMP_High_R4_CM-7(5) |
FedRAMP High CM-7 (5) |
Configuration Management |
Authorized Software / Whitelisting |
Shared |
n/a |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency].
Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
link |
2 |
| FedRAMP_Moderate_R4 |
CM-10 |
FedRAMP_Moderate_R4_CM-10 |
FedRAMP Moderate CM-10 |
Configuration Management |
Software Usage Restrictions |
Shared |
n/a |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7.
References: None. |
link |
4 |
| FedRAMP_Moderate_R4 |
CM-11 |
FedRAMP_Moderate_R4_CM-11 |
FedRAMP Moderate CM-11 |
Configuration Management |
User-Installed Software |
Shared |
n/a |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
References: None. |
link |
2 |
| FedRAMP_Moderate_R4 |
CM-7 |
FedRAMP_Moderate_R4_CM-7 |
FedRAMP Moderate CM-7 |
Configuration Management |
Least Functionality |
Shared |
n/a |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.
References: DoD Instruction 8551.01. |
link |
3 |
| FedRAMP_Moderate_R4 |
CM-7(2) |
FedRAMP_Moderate_R4_CM-7(2) |
FedRAMP Moderate CM-7 (2) |
Configuration Management |
Prevent Program Execution |
Shared |
n/a |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Supplemental Guidance: Related controls: CM-8, PM-5. |
link |
2 |
| FedRAMP_Moderate_R4 |
CM-7(5) |
FedRAMP_Moderate_R4_CM-7(5) |
FedRAMP Moderate CM-7 (5) |
Configuration Management |
Authorized Software / Whitelisting |
Shared |
n/a |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency].
Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
link |
2 |
| hipaa |
0201.09j1Organizational.124-09.j |
hipaa-0201.09j1Organizational.124-09.j |
0201.09j1Organizational.124-09.j |
02 Endpoint Protection |
0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. |
|
18 |
| hipaa |
0607.10h2System.23-10.h |
hipaa-0607.10h2System.23-10.h |
0607.10h2System.23 - 10.h |
Control of Operational Software |
The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. |
Customer |
n/a |
Evidence that SDL changes can be rolled back (e.g., to resolve post-deployment issues). |
|
2 |
| hipaa |
1197.01l3Organizational.3-01.l |
hipaa-1197.01l3Organizational.3-01.l |
1197.01l3Organizational.3-01.l |
11 Access Control |
1197.01l3Organizational.3-01.l 01.04 Network Access Control |
Shared |
n/a |
The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure. |
|
1 |
| IRS_1075_9.3 |
.16.5 |
IRS_1075_9.3.16.5 |
IRS 1075 9.3.16.5 |
System and Communications Protection |
Boundary Protection (SC-7) |
|
n/a |
The information system must:
a. Monitor and control communications at the external boundary of the system and at key internal boundaries within the system
b. Implement subnetworks for publicly accessible system components that are physically and logically separated from internal agency networks
c. Connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with agency security architecture requirements
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within the security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks).
The agency must limit the number of external network connections to the information system. (CE3)
The agency must: (CE4)
a. Implement a secure managed interface for each external telecommunication service
b. Establish a traffic flow policy for each managed interface
d. Protect the confidentiality and integrity of the information being transmitted across each interface
e. Document each exception to the traffic flow policy with a supporting mission/business need and duration of that need, and accept the associated risk
f. Review exceptions to the traffic flow policy at a minimum annually, and remove exceptions that are no longer supported by an explicit mission/business need
The information system at managed interfaces must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). (CE5)
The information system must, in conjunction with a remote device, prevent the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. (CE7)
Additional requirements for protecting FTI on networks are provided in Section 9.4.10, Network Protections. |
link |
4 |
| IRS_1075_9.3 |
.5.11 |
IRS_1075_9.3.5.11 |
IRS 1075 9.3.5.11 |
Configuration Management |
User-Installed Software (CM-11) |
|
n/a |
The agency must:
a. Establish policies governing the installation of software by users
b. Enforce software installation policies through automated methods
c. Monitor policy compliance on a continual basis
All FTI that is transmitted to agencies is backed up and protected within IRS facilities. As such, the focus of contingency planning controls is on the protection of FTI stored in backup media or used at alternative facilities and not focused on the availability of data. Agencies must develop applicable contingencies for ensuring that FTI is available, based upon their individual risk-based approaches. |
link |
1 |
| IRS_1075_9.3 |
.5.7 |
IRS_1075_9.3.5.7 |
IRS 1075 9.3.5.7 |
Configuration Management |
Least Functionality (CM-7) |
|
n/a |
The agency must:
a. Configure the information system to provide only essential capabilities
b. Prohibit or restrict the use of the functions, ports, protocols, or services as defined in Office of Safeguards-approved compliance requirements (e.g., SCSEMs, assessment tools)
c. Review the information system as part of vulnerability assessments to identify unnecessary or non-secure functions, ports, protocols, and services (see Section 9.3.14.3, Vulnerability Scanning (RA-5))
d. Disable defined functions, ports, protocols, and services within the information system deemed to be unnecessary or non-secure |
link |
1 |
| ISO27001-2013 |
A.12.5.1 |
ISO27001-2013_A.12.5.1 |
ISO 27001:2013 A.12.5.1 |
Operations Security |
Installation of software on operational systems |
Shared |
n/a |
Procedures shall be implemented to control the installation of software on operational systems. |
link |
19 |
| ISO27001-2013 |
A.12.6.2 |
ISO27001-2013_A.12.6.2 |
ISO 27001:2013 A.12.6.2 |
Operations Security |
Restrictions on software installation |
Shared |
n/a |
Rules governing the installation of software by users shall be established and implemented. |
link |
19 |
| NIST_SP_800-171_R2_3 |
.4.6 |
NIST_SP_800-171_R2_3.4.6 |
NIST SP 800-171 R2 3.4.6 |
Configuration Management |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. |
link |
3 |
| NIST_SP_800-171_R2_3 |
.4.7 |
NIST_SP_800-171_R2_3.4.7 |
NIST SP 800-171 R2 3.4.7 |
Configuration Management |
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. |
link |
2 |
| NIST_SP_800-171_R2_3 |
.4.8 |
NIST_SP_800-171_R2_3.4.8 |
NIST SP 800-171 R2 3.4.8 |
Configuration Management |
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is the stronger of the two policies for restricting software program execution. In addition to whitelisting, organizations consider verifying the integrity of whitelisted software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of whitelisted software can occur either prior to execution or at system startup. [SP 800-167] provides guidance on application whitelisting. |
link |
2 |
| NIST_SP_800-171_R2_3 |
.4.9 |
NIST_SP_800-171_R2_3.4.9 |
NIST SP 800-171 R2 3.4.9 |
Configuration Management |
Control and monitor user-installed software. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. |
link |
2 |
| NIST_SP_800-53_R4 |
CM-10 |
NIST_SP_800-53_R4_CM-10 |
NIST SP 800-53 Rev. 4 CM-10 |
Configuration Management |
Software Usage Restrictions |
Shared |
n/a |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7.
References: None. |
link |
4 |
| NIST_SP_800-53_R4 |
CM-11 |
NIST_SP_800-53_R4_CM-11 |
NIST SP 800-53 Rev. 4 CM-11 |
Configuration Management |
User-Installed Software |
Shared |
n/a |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4.
References: None. |
link |
2 |
| NIST_SP_800-53_R4 |
CM-7 |
NIST_SP_800-53_R4_CM-7 |
NIST SP 800-53 Rev. 4 CM-7 |
Configuration Management |
Least Functionality |
Shared |
n/a |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7.
References: DoD Instruction 8551.01. |
link |
3 |
| NIST_SP_800-53_R4 |
CM-7(2) |
NIST_SP_800-53_R4_CM-7(2) |
NIST SP 800-53 Rev. 4 CM-7 (2) |
Configuration Management |
Prevent Program Execution |
Shared |
n/a |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Supplemental Guidance: Related controls: CM-8, PM-5. |
link |
2 |
| NIST_SP_800-53_R4 |
CM-7(5) |
NIST_SP_800-53_R4_CM-7(5) |
NIST SP 800-53 Rev. 4 CM-7 (5) |
Configuration Management |
Authorized Software / Whitelisting |
Shared |
n/a |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency].
Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
link |
2 |
| NIST_SP_800-53_R5 |
CM-10 |
NIST_SP_800-53_R5_CM-10 |
NIST SP 800-53 Rev. 5 CM-10 |
Configuration Management |
Software Usage Restrictions |
Shared |
n/a |
a. Use software and associated documentation in accordance with contract agreements and copyright laws;
b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
link |
4 |
| NIST_SP_800-53_R5 |
CM-11 |
NIST_SP_800-53_R5_CM-11 |
NIST SP 800-53 Rev. 5 CM-11 |
Configuration Management |
User-installed Software |
Shared |
n/a |
a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
c. Monitor policy compliance [Assignment: organization-defined frequency]. |
link |
2 |
| NIST_SP_800-53_R5 |
CM-7 |
NIST_SP_800-53_R5_CM-7 |
NIST SP 800-53 Rev. 5 CM-7 |
Configuration Management |
Least Functionality |
Shared |
n/a |
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
link |
3 |
| NIST_SP_800-53_R5 |
CM-7(2) |
NIST_SP_800-53_R5_CM-7(2) |
NIST SP 800-53 Rev. 5 CM-7 (2) |
Configuration Management |
Prevent Program Execution |
Shared |
n/a |
Prevent program execution in accordance with [Selection (OneOrMore): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions] ;rules authorizing the terms and conditions of software program usage] . |
link |
2 |
| NIST_SP_800-53_R5 |
CM-7(5) |
NIST_SP_800-53_R5_CM-7(5) |
NIST SP 800-53 Rev. 5 CM-7 (5) |
Configuration Management |
Authorized Software ??? Allow-by-exception |
Shared |
n/a |
(a) Identify [Assignment: organization-defined software programs authorized to execute on the system];
(b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
(c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. |
link |
2 |
| NZ_ISM_v3.5 |
SS-5 |
NZ_ISM_v3.5_SS-5 |
NZISM Security Benchmark SS-5 |
Software security |
14.2.4 Application Whitelisting |
Customer |
n/a |
Application whitelisting can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code.
Defining a list of trusted executables, a whitelist, is a practical and secure method of securing a system rather than relying on a list of bad executables (black list) to be prevented from running.
Application whitelisting is considered only one part of a defence-in-depth strategy in order to prevent a successful attack, or to help mitigate consequences arising from an attack. |
link |
2 |
| NZISM_Security_Benchmark_v1.1 |
SS-5 |
NZISM_Security_Benchmark_v1.1_SS-5 |
NZISM Security Benchmark SS-5 |
Software security |
14.2.4 Application Whitelisting |
Customer |
Agencies SHOULD implement application whitelisting as part of the SOE for workstations, servers and any other network device. |
Application whitelisting can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code.
Defining a list of trusted executables, a whitelist, is a practical and secure method of securing a system rather than relying on a list of bad executables (black list) to be prevented from running.
Application whitelisting is considered only one part of a defence-in-depth strategy in order to prevent a successful attack, or to help mitigate consequences arising from an attack. |
link |
2 |
| RBI_CSF_Banks_v2016 |
13.1 |
RBI_CSF_Banks_v2016_13.1 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.1 |
|
n/a |
Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. |
|
27 |
| RBI_CSF_Banks_v2016 |
13.3 |
RBI_CSF_Banks_v2016_13.3 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.3 |
|
n/a |
Consider implementing whitelisting of internet websites/systems. |
|
15 |
| RBI_CSF_Banks_v2016 |
14.1 |
RBI_CSF_Banks_v2016_14.1 |
|
Anti-Phishing |
Anti-Phishing-14.1 |
|
n/a |
Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications. |
|
32 |
| RBI_CSF_Banks_v2016 |
2.1 |
RBI_CSF_Banks_v2016_2.1 |
|
Preventing Execution Of Unauthorised Software |
Software Inventory-2.1 |
|
n/a |
Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing whitelisting of authorised applications / software/libraries, etc. |
|
2 |
| RBI_CSF_Banks_v2016 |
2.2 |
RBI_CSF_Banks_v2016_2.2 |
|
Preventing Execution Of Unauthorised Software |
Authorised Software Installation-2.2 |
|
n/a |
Have mechanism to centrally/otherwise control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications on such devices/systems. |
|
2 |
| RBI_CSF_Banks_v2016 |
4.2 |
RBI_CSF_Banks_v2016_4.2 |
|
Network Management And Security |
Network Inventory-4.2 |
|
n/a |
Maintain an up-to-date/centralised inventory of authorised devices connected to bank???s network (within/outside bank???s premises) and authorised devices enabling the bank???s network. The bank may consider implementing solutions to automate network discovery and management. |
|
6 |
| RBI_ITF_NBFC_v2017 |
2 |
RBI_ITF_NBFC_v2017_2 |
RBI IT Framework 2 |
IT Policy |
IT Policy-2 |
|
n/a |
NBFCs may formulate a Board approved IT Policy, in line with the objectives of their organisation comprising the following:
a. An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC;
b. NBFCs may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT Operations whose responsibility is to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.
c. To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available.
d. The NBFCs which are currently not using IPv6 platform should migrate to the same as per National Telecom Policy issued by the Government of India in 2012. (As per Circular DNBS(Inf.).CC.No 309/24.01.022/2012-13 November 08, 2012) |
link |
2 |
| RMiT_v1.0 |
Appendix_5.2 |
RMiT_v1.0_Appendix_5.2 |
RMiT Appendix 5.2 |
Control Measures on Cybersecurity |
Control Measures on Cybersecurity - Appendix 5.2 |
Customer |
n/a |
Update checklists on the latest security hardening of operating systems. |
link |
2 |
| SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
54 |
| SOC_2 |
CC7.1 |
SOC_2_CC7.1 |
SOC 2 Type 2 CC7.1 |
System Operations |
Detection and monitoring of new vulnerabilities |
Shared |
The customer is responsible for implementing this recommendation. |
• Uses Defined Configuration Standards — Management has defined configuration
standards.
• Monitors Infrastructure and Software — The entity monitors infrastructure and
software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.
• Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for example, file integrity monitoring tools) to alert personnel
to unauthorized modifications of critical system files, configuration files, or content
files.
• Detects Unknown or Unauthorized Components — Procedures are in place to detect the introduction of unknown or unauthorized components.
• Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to
identify potential vulnerabilities or misconfigurations on a periodic basis and after
any significant change in the environment and takes action to remediate identified
deficiencies on a timely basis |
|
17 |
| SWIFT_CSCF_v2021 |
1.1 |
SWIFT_CSCF_v2021_1.1 |
SWIFT CSCF v2021 1.1 |
SWIFT Environment Protection |
SWIFT Environment Protection |
|
n/a |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
link |
30 |
| SWIFT_CSCF_v2022 |
1.1 |
SWIFT_CSCF_v2022_1.1 |
SWIFT CSCF v2022 1.1 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
Shared |
n/a |
A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. |
link |
22 |
| SWIFT_CSCF_v2022 |
1.5A |
SWIFT_CSCF_v2022_1.5A |
SWIFT CSCF v2022 1.5A |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
Shared |
n/a |
A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. |
link |
26 |
| UK_NCSC_CSP |
11 |
UK_NCSC_CSP_11 |
UK NCSC CSP 11 |
External interface protection |
External interface protection |
Shared |
n/a |
All external or less trusted interfaces of the service should be identified and appropriately defended. |
link |
8 |
| UK_NCSC_CSP |
5.3 |
UK_NCSC_CSP_5.3 |
UK NCSC CSP 5.3 |
Operational security |
Protective Monitoring |
Shared |
n/a |
A service which does not effectively monitor for attack, misuse and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data. |
link |
4 |