last sync: 2024-Oct-04 17:51:30 UTC

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Azure BuiltIn Policy definition

Source Azure Portal
Display name Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
Id 497dff13-db2a-4c0f-8603-28fa3b331ab6
Version 4.1.0
Details on versioning
Versioning Versions supported for Versioning: 2
4.0.0
4.1.0
Built-in Versioning [Preview]
Category Guest Configuration
Microsoft Learn
Description This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Fixed
modify
RBAC role(s)
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Rule aliases IF (6)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute
virtualMachines
virtualMachineScaleSets
disks
properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id
True
True
True


False
False
False
Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration Microsoft.Compute virtualMachines properties.osProfile.linuxConfiguration True True
Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration Microsoft.Compute virtualMachines properties.osProfile.windowsConfiguration True True
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType True True
Rule resource types IF (1)
Microsoft.Compute/virtualMachines
Compliance
The following 88 compliance controls are associated with this Policy definition 'Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity' (497dff13-db2a-4c0f-8603-28fa3b331ab6)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
ACAT_Security_Policies ACAT_Security_Policies ACAT Security Policies Guidelines for M365 Certification Protecting systems and resources Shared n/a Ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. link 16
AU_ISM 1139 AU_ISM_1139 AU ISM 1139 Guidelines for Cryptography - Transport Layer Security Using Transport Layer Security - 1139 n/a Only the latest version of TLS is used. link 6
AU_ISM 1277 AU_ISM_1277 AU ISM 1277 Guidelines for Database Systems - Database servers Communications between database servers and web servers - 1277 n/a Data communicated between database servers and web applications is encrypted. link 6
AU_ISM 1503 AU_ISM_1503 AU ISM 1503 Guidelines for Personnel Security - Access to systems and their resources Standard access to systems - 1503 n/a Standard access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. link 6
AU_ISM 1507 AU_ISM_1507 AU ISM 1507 Guidelines for Personnel Security - Access to systems and their resources Privileged access to systems - 1507 n/a Privileged access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis. link 4
AU_ISM 1508 AU_ISM_1508 AU ISM 1508 Guidelines for Personnel Security - Access to systems and their resources Privileged access to systems - 1508 n/a Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. link 7
AU_ISM 1546 AU_ISM_1546 AU ISM 1546 Guidelines for System Hardening - Authentication hardening Authenticating to systems - 1546 n/a Users are authenticated before they are granted access to a system and its resources. link 7
AU_ISM 415 AU_ISM_415 AU ISM 415 Guidelines for Personnel Security - Access to systems and their resources User identification - 415 n/a The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable. link 4
AU_ISM 421 AU_ISM_421 AU ISM 421 Guidelines for System Hardening - Authentication hardening Single-factor authentication - 421 n/a Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words. link 4
AU_ISM 445 AU_ISM_445 AU ISM 445 Guidelines for Personnel Security - Access to systems and their resources Privileged access to systems - 445 n/a Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access. link 4
Azure_Security_Benchmark_v1.0 1.11 Azure_Security_Benchmark_v1.0_1.11 Azure Security Benchmark 1.11 Network Security Use automated tools to monitor network resource configurations and detect changes Customer Use Azure Policy to validate (and/or remediate) configuration for network resources. How to configure and manage Azure Policy: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Azure Policy samples for networking: https://docs.microsoft.com/azure/governance/policy/samples/#network n/a link 7
CCCS AC-17(1) CCCS_AC-17(1) CCCS AC-17(1) Access Control Remote Access | Automated Monitoring / Control n/a The information system monitors and controls remote access methods. link 7
CCCS AC-5 CCCS_AC-5 CCCS AC-5 Access Control Separation of Duties n/a (A) The organization: (a) Separate organization-defined duties of individuals including at least separation of operational, development, security monitoring, and management functions; (b) Documents separation of duties of individuals; and (c) Defines information system access authorizations to support separation of duties. link 7
CCCS AC-6 CCCS_AC-6 CCCS AC-6 Access Control Least Privilege n/a (A) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. link 7
CCCS IA-5 CCCS_IA-5 CCCS IA-5 Identification and Authentication Authenticator Management n/a (A) The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. (B) The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. (C) The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. (D) The organization manages information system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators. (E) The organization manages information system authenticators by changing the default content of authenticators prior to information system installation. (F) The organization manages information system authenticators by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators. (G) The organization manages information system authenticators by changing/refreshing authenticators in accordance with CCCS’s ITSP.30.031. (H) The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure and modification. (I) The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. (J) The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. link 5
CCCS IA-5(1) CCCS_IA-5(1) CCCS IA-5(1) Identification and Authentication Authenticator Management | Password-Based Authentication n/a (a) The information system, for password-based authentication, enforces minimum password complexity of case sensitive, minimum of eight characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters; (b) The information system, for password-based authentication, enforces that at least one of the characters are changed when new passwords are created; (c) The information system, for password-based authentication, stores and transmits only cryptographically-protected passwords; (d) The information system, for password-based authentication, enforces password minimum and maximum lifetime restrictions of one-day minimum, sixty-day maximum; (e) The information system, for password-based authentication prohibits password reuse for 24 generations; and (f) The information system, for password-based authentication allows the use of a temporary password for system logons with an immediate change to a permanent password. link 8
CMMC_2.0_L2 AC.L1-3.1.1 CMMC_2.0_L2_AC.L1-3.1.1 404 not found n/a n/a 57
CMMC_2.0_L2 AC.L2-3.1.12 CMMC_2.0_L2_AC.L2-3.1.12 404 not found n/a n/a 35
CMMC_2.0_L2 CM.L2-3.4.1 CMMC_2.0_L2_CM.L2-3.4.1 404 not found n/a n/a 25
CMMC_2.0_L2 CM.L2-3.4.2 CMMC_2.0_L2_CM.L2-3.4.2 404 not found n/a n/a 27
CMMC_2.0_L2 IA.L1-3.5.2 CMMC_2.0_L2_IA.L1-3.5.2 404 not found n/a n/a 18
CMMC_2.0_L2 IA.L2-3.5.10 CMMC_2.0_L2_IA.L2-3.5.10 404 not found n/a n/a 7
CMMC_2.0_L2 IA.L2-3.5.7 CMMC_2.0_L2_IA.L2-3.5.7 404 not found n/a n/a 5
CMMC_2.0_L2 IA.L2-3.5.8 CMMC_2.0_L2_IA.L2-3.5.8 404 not found n/a n/a 4
CMMC_2.0_L2 SC.L2-3.13.8 CMMC_2.0_L2_SC.L2-3.13.8 404 not found n/a n/a 16
CMMC_L3 AC.1.001 CMMC_L3_AC.1.001 CMMC L3 AC.1.001 Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Shared Microsoft and the customer share responsibilities for implementing this requirement. Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement AC.1.002. link 31
CMMC_L3 AC.2.013 CMMC_L3_AC.2.013 CMMC L3 AC.2.013 Access Control Monitor and control remote access sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). link 10
CMMC_L3 AC.3.021 CMMC_L3_AC.3.021 CMMC L3 AC.3.021 Access Control Authorize remote execution of privileged commands and remote access to security-relevant information. Shared Microsoft and the customer share responsibilities for implementing this requirement. A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Securityrelevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself. link 10
CMMC_L3 IA.1.077 CMMC_L3_IA.1.077 CMMC L3 IA.1.077 Identification and Authentication Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. link 9
CMMC_L3 IA.2.078 CMMC_L3_IA.2.078 CMMC L3 IA.2.078 Identification and Authentication Enforce a minimum password complexity and change of characters when new passwords are created. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. link 7
CMMC_L3 IA.2.079 CMMC_L3_IA.2.079 CMMC L3 IA.2.079 Identification and Authentication Prohibit password reuse for a specified number of generations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Password lifetime restrictions do not apply to temporary passwords. link 5
CMMC_L3 IA.2.081 CMMC_L3_IA.2.081 CMMC L3 IA.2.081 Identification and Authentication Store and transmit only cryptographically-protected passwords. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. link 5
FedRAMP_High_R4 AC-17 FedRAMP_High_R4_AC-17 FedRAMP High AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_High_R4 AC-17(1) FedRAMP_High_R4_AC-17(1) FedRAMP High AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
FedRAMP_High_R4 AC-3 FedRAMP_High_R4_AC-3 FedRAMP High AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
FedRAMP_High_R4 IA-5 FedRAMP_High_R4_IA-5 FedRAMP High IA-5 Identification And Authentication Authenticator Management Shared n/a The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for group/role accounts when membership to those accounts changes. Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance link 18
FedRAMP_High_R4 IA-5(1) FedRAMP_High_R4_IA-5(1) FedRAMP High IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
FedRAMP_Moderate_R4 AC-17 FedRAMP_Moderate_R4_AC-17 FedRAMP Moderate AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_Moderate_R4 AC-17(1) FedRAMP_Moderate_R4_AC-17(1) FedRAMP Moderate AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
FedRAMP_Moderate_R4 AC-3 FedRAMP_Moderate_R4_AC-3 FedRAMP Moderate AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
FedRAMP_Moderate_R4 IA-5 FedRAMP_Moderate_R4_IA-5 FedRAMP Moderate IA-5 Identification And Authentication Authenticator Management Shared n/a The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for group/role accounts when membership to those accounts changes. Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance link 18
FedRAMP_Moderate_R4 IA-5(1) FedRAMP_Moderate_R4_IA-5(1) FedRAMP Moderate IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
IRS_1075_9.3 .1.12 IRS_1075_9.3.1.12 IRS 1075 9.3.1.12 Access Control Remote Access (AC-17) n/a The agency must: a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed b. Authorize remote access to the information system prior to allowing such connections c. Authorize and document the execution of privileged commands and access to security-relevant information via remote access for compelling operational needs only (CE4) The information system must: a. Monitor and control remote access methods (CE1) b. Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions where FTI is transmitted over the remote connection and (CE2) c. Route all remote accesses through a limited number of managed network access control points (CE3) Remote access is defined as any access to an agency information system by a user communicating through an external network, for example, the Internet. Any remote access where FTI is accessed over the remote connection must be performed using multi-factor authentication. FTI cannot be accessed remotely by agency employees, agents, representatives, or contractors located offshore--outside of the United States territories, embassies, or military installations. Further, FTI may not be received, processed, stored, transmitted, or disposed of by IT systems located offshore. link 7
IRS_1075_9.3 .1.5 IRS_1075_9.3.1.5 IRS 1075 9.3.1.5 Access Control Separation of Duties (AC-5) n/a The agency must: a. Separate duties of individuals to prevent harmful activity without collusion b. Document separation of duties of individuals c. Define information system access authorizations to support separation of duties link 7
IRS_1075_9.3 .1.6 IRS_1075_9.3.1.6 IRS 1075 9.3.1.6 Access Control Least Privilege (AC-6) n/a The agency must: a. Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with agency missions and business functions b. Explicitly authorize access to FTI (CE1) c. Require that users of information system accounts, or roles, with access to FTI, use non-privileged accounts or roles when accessing non-security functions (CE2) d. Restrict privileged accounts on the information system to a limited number of individuals with a need to perform administrative duties (CE5) The information system must: a. Audit the execution of privileged functions (CE9) b. Prevent non-privileged users from executing privileged functions; including disabling, circumventing, or altering implemented security safeguards/countermeasures (CE10) link 7
IRS_1075_9.3 .16.6 IRS_1075_9.3.16.6 IRS 1075 9.3.16.6 System and Communications Protection Transmission Confidentiality and Integrity (SC-8) n/a Information systems that receive, process, store, or transmit FTI, must: a. Protect the confidentiality and integrity of transmitted information b. Implement FIPS 140-2 cryptographic mechanisms to prevent unauthorized disclosure of FTI and detect changes to information during transmission across the wide area network (WAN) and within the local area network (LAN) (CE1) The agency must ensure that all network infrastructure, access points, wiring, conduits, and cabling are within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and monitor for suspicious network traffic. For physical security protections of transmission medium, see Section 9.3.11.4, Access Control for Transmission Medium (PE-4). This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax machines). link 8
IRS_1075_9.3 .7.5 IRS_1075_9.3.7.5 IRS 1075 9.3.7.5 Identification and Authentication Authenticator Management (IA-5) n/a The agency must manage information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator b. Establishing initial authenticator content for authenticators defined by the agency c. Ensuring that authenticators have sufficient strength of mechanism for their intended use d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators e. Changing default content of authenticators prior to information system installation f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators g. Changing/refreshing authenticators h. Protecting authenticator content from unauthorized disclosure and modification i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators j. Changing authenticators for group/role accounts when membership to those accounts changes The information system must, for password-based authentication: a. Enforce minimum password complexity of: 1. Eight characters 2. At least one numeric and at least one special character 3. A mixture of at least one uppercase and at least one lowercase letter 4. Storing and transmitting only encrypted representations of passwords b. Enforce password minimum lifetime restriction of one day c. Enforce non-privileged account passwords to be changed at least every 90 days d. Enforce privileged account passwords to be changed at least every 60 days e. Prohibit password reuse for 24 generations f. Allow the use of a temporary password for system logon requiring an immediate change to a permanent password g. Password-protect system initialization (boot) settings link 12
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 17
ISO27001-2013 A.9.1.2 ISO27001-2013_A.9.1.2 ISO 27001:2013 A.9.1.2 Access Control Access to networks and network services Shared n/a Users shall only be provided with access to the network and network services that they have been specifically authorized to use. link 29
ISO27001-2013 A.9.2.4 ISO27001-2013_A.9.2.4 ISO 27001:2013 A.9.2.4 Access Control Management of secret authentication information of users Shared n/a The allocation of secret authentication information shall be controlled through a formal management process. link 21
ISO27001-2013 A.9.4.3 ISO27001-2013_A.9.4.3 ISO 27001:2013 A.9.4.3 Access Control Password management system Shared n/a Password management systems shall be interactive and shall ensure quality password. link 22
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
mp.si.4 Transport mp.si.4 Transport 404 not found n/a n/a 24
NIST_SP_800-171_R2_3 .1.1 NIST_SP_800-171_R2_3.1.1 NIST SP 800-171 R2 3.1.1 Access Control Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Shared Microsoft and the customer share responsibilities for implementing this requirement. Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. link 55
NIST_SP_800-171_R2_3 .1.12 NIST_SP_800-171_R2_3.1.12 NIST SP 800-171 R2 3.1.12 Access Control Monitor and control remote access sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks. link 36
NIST_SP_800-171_R2_3 .5.10 NIST_SP_800-171_R2_3.5.10 NIST SP 800-171 R2 3.5.10 Identification and Authentication Store and transmit only cryptographically-protected passwords. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. See [NIST CRYPTO]. link 9
NIST_SP_800-171_R2_3 .5.2 NIST_SP_800-171_R2_3.5.2 NIST SP 800-171 R2 3.5.2 Identification and Authentication Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords. [SP 800-63-3] provides guidance on digital identities. link 24
NIST_SP_800-171_R2_3 .5.7 NIST_SP_800-171_R2_3.5.7 NIST SP 800-171 R2 3.5.7 Identification and Authentication Enforce a minimum password complexity and change of characters when new passwords are created. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. link 8
NIST_SP_800-171_R2_3 .5.8 NIST_SP_800-171_R2_3.5.8 NIST SP 800-171 R2 3.5.8 Identification and Authentication Prohibit password reuse for a specified number of generations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Password lifetime restrictions do not apply to temporary passwords link 4
NIST_SP_800-53_R4 AC-17 NIST_SP_800-53_R4_AC-17 NIST SP 800-53 Rev. 4 AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
NIST_SP_800-53_R4 AC-17(1) NIST_SP_800-53_R4_AC-17(1) NIST SP 800-53 Rev. 4 AC-17 (1) Access Control Automated Monitoring / Control Shared n/a The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. link 37
NIST_SP_800-53_R4 AC-3 NIST_SP_800-53_R4_AC-3 NIST SP 800-53 Rev. 4 AC-3 Access Control Access Enforcement Shared n/a The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. References: None. link 21
NIST_SP_800-53_R4 IA-5 NIST_SP_800-53_R4_IA-5 NIST SP 800-53 Rev. 4 IA-5 Identification And Authentication Authenticator Management Shared n/a The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for group/role accounts when membership to those accounts changes. Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadmap and Implementation Guidance link 18
NIST_SP_800-53_R4 IA-5(1) NIST_SP_800-53_R4_IA-5(1) NIST SP 800-53 Rev. 4 IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
NIST_SP_800-53_R5 AC-17 NIST_SP_800-53_R5_AC-17 NIST SP 800-53 Rev. 5 AC-17 Access Control Remote Access Shared n/a a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. link 41
NIST_SP_800-53_R5 AC-17(1) NIST_SP_800-53_R5_AC-17(1) NIST SP 800-53 Rev. 5 AC-17 (1) Access Control Monitoring and Control Shared n/a Employ automated mechanisms to monitor and control remote access methods. link 37
NIST_SP_800-53_R5 AC-3 NIST_SP_800-53_R5_AC-3 NIST SP 800-53 Rev. 5 AC-3 Access Control Access Enforcement Shared n/a Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. link 21
NIST_SP_800-53_R5 IA-5 NIST_SP_800-53_R5_IA-5 NIST SP 800-53 Rev. 5 IA-5 Identification and Authentication Authenticator Management Shared n/a Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes. link 18
NIST_SP_800-53_R5 IA-5(1) NIST_SP_800-53_R5_IA-5(1) NIST SP 800-53 Rev. 5 IA-5 (1) Identification and Authentication Password-based Authentication Shared n/a For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. link 15
op.acc.1 Identification op.acc.1 Identification 404 not found n/a n/a 66
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 64
op.acc.5 Authentication mechanism (external users) op.acc.5 Authentication mechanism (external users) 404 not found n/a n/a 72
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.10 Cryptographic key protection op.exp.10 Cryptographic key protection 404 not found n/a n/a 53
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
PCI_DSS_V3.2.1 8.2.3 PCI_DSS_v3.2.1_8.2.3 PCI DSS v3.2.1 8.2.3 Requirement 8 PCI DSS requirement 8.2.3 customer n/a n/a link 6
PCI_DSS_V3.2.1 8.2.5 PCI_DSS_v3.2.1_8.2.5 PCI DSS v3.2.1 8.2.5 Requirement 8 PCI DSS requirement 8.2.5 customer n/a n/a link 6
PCI_DSS_v4.0 8.3.6 PCI_DSS_v4.0_8.3.6 PCI DSS v4.0 8.3.6 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: • A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). • Contain both numeric and alphabetic characters. link 9
SWIFT_CSCF_v2021 6.4 SWIFT_CSCF_v2021_6.4 SWIFT CSCF v2021 6.4 Detect Anomalous Activity to Systems or Transaction Records Logging and Monitoring n/a Record security events and detect anomalous actions and operations within the local SWIFT environment. link 33
SWIFT_CSCF_v2022 2.2 SWIFT_CSCF_v2022_2.2 SWIFT CSCF v2022 2.2 2. Reduce Attack Surface and Vulnerabilities Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. Shared n/a All hardware and software inside the secure zone and on operator PCs are within the support life cycle of the vendor, have been upgraded with mandatory software updates, and have had security updates promptly applied. link 11
SWIFT_CSCF_v2022 2.3 SWIFT_CSCF_v2022_2.3 SWIFT CSCF v2022 2.3 2. Reduce Attack Surface and Vulnerabilities Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. Shared n/a Security hardening is conducted and maintained on all in-scope components. link 25
SWIFT_CSCF_v2022 2.6 SWIFT_CSCF_v2022_2.6 SWIFT CSCF v2022 2.6 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Shared n/a The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. link 17
SWIFT_CSCF_v2022 4.1 SWIFT_CSCF_v2022_4.1 SWIFT CSCF v2022 4.1 4. Prevent Compromise of Credentials Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Shared n/a All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. link 17
SWIFT_CSCF_v2022 5.1 SWIFT_CSCF_v2022_5.1 SWIFT CSCF v2022 5.1 5. Manage Identities and Segregate Privileges Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. Shared n/a Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. link 35
SWIFT_CSCF_v2022 6.4 SWIFT_CSCF_v2022_6.4 SWIFT CSCF v2022 6.4 6. Detect Anomalous Activity to Systems or Transaction Records Record security events and detect anomalous actions and operations within the local SWIFT environment. Shared n/a Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. link 51
UK_NCSC_CSP 10 UK_NCSC_CSP_10 UK NCSC CSP 10 Identity and authentication Identity and authentication Shared n/a All access to service interfaces should be constrained to authenticated and authorised individuals. link 25
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
ACAT for Microsoft 365 Certification 80307b86-ab81-45ab-bf4f-4e0b93cf3dd5 Regulatory Compliance GA BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
Deploy prerequisites to enable Guest Configuration policies on virtual machines 12794019-7a00-42cf-95c2-882eed337cc8 Guest Configuration GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-01-22 17:47:54 change Minor (4.0.0 > 4.1.0)
2022-03-18 17:53:47 change Major (3.0.0 > 4.0.0)
2022-02-18 17:44:00 change Major (2.0.0 > 3.0.0)
2022-01-28 17:51:01 change Major (1.1.0 > 2.0.0)
2021-12-06 22:17:57 change Minor (1.0.0 > 1.1.0)
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
2020-08-05 13:05:29 change Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity
2020-07-17 15:57:10 add 497dff13-db2a-4c0f-8603-28fa3b331ab6
2020-06-29 05:46:45 remove 497dff13-db2a-4c0f-8603-28fa3b331ab6
2020-06-23 16:03:25 add 497dff13-db2a-4c0f-8603-28fa3b331ab6
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC