last sync: 2024-May-24 18:03:04 UTC

Require external service providers to comply with security requirements | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Require external service providers to comply with security requirements
Id 4e45863d-9ea9-32b4-a204-2680bc6007a6
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1586 - Require external service providers to comply with security requirements
Additional metadata Name/Id: CMA_C1586 / CMA_C1586
Category: Documentation
Title: Require external service providers to comply with security requirements
Ownership: Customer
Description: The customer is responsible for requiring that external service providers comply with the customer's information security requirements and employ customer-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 46 compliance controls are associated with this Policy definition 'Require external service providers to comply with security requirements' (4e45863d-9ea9-32b4-a204-2680bc6007a6)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-9 FedRAMP_High_R4_SA-9 FedRAMP High SA-9 System And Services Acquisition External Information System Services Shared n/a The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. Supplemental Guidance: External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. References: NIST Special Publication 800-35. link 4
FedRAMP_Moderate_R4 SA-9 FedRAMP_Moderate_R4_SA-9 FedRAMP Moderate SA-9 System And Services Acquisition External Information System Services Shared n/a The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. Supplemental Guidance: External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. References: NIST Special Publication 800-35. link 4
hipaa 0837.09.n2Organizational.2-09.n hipaa-0837.09.n2Organizational.2-09.n 0837.09.n2Organizational.2-09.n 08 Network Protection 0837.09.n2Organizational.2-09.n 09.06 Network Security Management Shared n/a Formal agreements with external information system providers include specific obligations for security and privacy. 20
hipaa 0888.09n2Organizational.6-09.n hipaa-0888.09n2Organizational.6-09.n 0888.09n2Organizational.6-09.n 08 Network Protection 0888.09n2Organizational.6-09.n 09.06 Network Security Management Shared n/a The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. 17
hipaa 1408.09e1System.1-09.e hipaa-1408.09e1System.1-09.e 1408.09e1System.1-09.e 14 Third Party Assurance 1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery Shared n/a Service Level Agreements (SLAs) or contracts with an agreed service arrangement address liability, service definitions, security controls, and other aspects of services management. 6
hipaa 1411.09f1System.1-09.f hipaa-1411.09f1System.1-09.f 1411.09f1System.1-09.f 14 Third Party Assurance 1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery Shared n/a The results of monitoring activities of third-party services are compared against the Service Level Agreements or contracts at least annually. 9
hipaa 1422.05j2Organizational.3-05.j hipaa-1422.05j2Organizational.3-05.j 1422.05j2Organizational.3-05.j 14 Third Party Assurance 1422.05j2Organizational.3-05.j 05.02 External Parties Shared n/a All security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party. 6
hipaa 1423.05j2Organizational.4-05.j hipaa-1423.05j2Organizational.4-05.j 1423.05j2Organizational.4-05.j 14 Third Party Assurance 1423.05j2Organizational.4-05.j 05.02 External Parties Shared n/a For all system connections that allow customers to access the organization's computing assets such as websites, kiosks, and public access terminals, the organization provides appropriate text or a link to the organization's privacy policy for data use and protection as well as the customer's responsibilities when accessing the data. 9
hipaa 1438.09e2System.4-09.e hipaa-1438.09e2System.4-09.e 1438.09e2System.4-09.e 14 Third Party Assurance 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery Shared n/a The service provider protects the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk. 14
hipaa 1450.05i2Organizational.2-05.i hipaa-1450.05i2Organizational.2-05.i 1450.05i2Organizational.2-05.i 14 Third Party Assurance 1450.05i2Organizational.2-05.i 05.02 External Parties Shared n/a The organization obtains satisfactory assurances that reasonable information security exists across its information supply chain by performing an annual review, which includes all partners/third-party providers upon which their information supply chain depends. 10
hipaa 1451.05iCSPOrganizational.2-05.i hipaa-1451.05iCSPOrganizational.2-05.i 1451.05iCSPOrganizational.2-05.i 14 Third Party Assurance 1451.05iCSPOrganizational.2-05.i 05.02 External Parties Shared n/a Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. 21
hipaa 1453.05kCSPOrganizational.2-05.k hipaa-1453.05kCSPOrganizational.2-05.k 1453.05kCSPOrganizational.2-05.k 14 Third Party Assurance 1453.05kCSPOrganizational.2-05.k 05.02 External Parties Shared n/a Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. 10
hipaa 1454.05kCSPOrganizational.3-05.k hipaa-1454.05kCSPOrganizational.3-05.k 1454.05kCSPOrganizational.3-05.k 14 Third Party Assurance 1454.05kCSPOrganizational.3-05.k 05.02 External Parties Shared n/a Service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream) are reviewed consistently and no less than annually to identify any non-conformance to established agreements. The reviews result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships. 8
hipaa 1455.05kCSPOrganizational.4-05.k hipaa-1455.05kCSPOrganizational.4-05.k 1455.05kCSPOrganizational.4-05.k 14 Third Party Assurance 1455.05kCSPOrganizational.4-05.k 05.02 External Parties Shared n/a Third-party service providers demonstrate compliance with information security and confidentiality, access control, service definitions, and service-level agreements included in third-party contracts. Third-party reports, records, and services undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements. 9
hipaa 1524.11a1Organizational.5-11.a hipaa-1524.11a1Organizational.5-11.a 1524.11a1Organizational.5-11.a 15 Incident Management 1524.11a1Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Workforce members cooperate with federal or state investigations or disciplinary proceedings. 3
ISO27001-2013 A.13.1.2 ISO27001-2013_A.13.1.2 ISO 27001:2013 A.13.1.2 Communications Security Security of network services Shared n/a Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. link 16
ISO27001-2013 A.13.2.2 ISO27001-2013_A.13.2.2 ISO 27001:2013 A.13.2.2 Communications Security Agreements on information transfer Shared n/a Agreements shall address the secure transfer of business information between the organization and external parties. link 11
ISO27001-2013 A.15.2.1 ISO27001-2013_A.15.2.1 ISO 27001:2013 A.15.2.1 Supplier Relationships Monitoring and review of supplier services Shared n/a Organizations shall be regularly monitor, review and audit supplier service delivery. link 4
ISO27001-2013 A.15.2.2 ISO27001-2013_A.15.2.2 ISO 27001:2013 A.15.2.2 Supplier Relationships Managing changes to supplier services Shared n/a Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. link 15
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 A.6.1.5 ISO27001-2013_A.6.1.5 ISO 27001:2013 A.6.1.5 Organization of Information Security Information security in project management Shared n/a Information security shall be addressed in project management, regardless of the type of the project. link 25
ISO27001-2013 A.7.2.1 ISO27001-2013_A.7.2.1 ISO 27001:2013 A.7.2.1 Human Resources Security Management responsibilities Shared n/a Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. link 26
ISO27001-2013 C.8.1 ISO27001-2013_C.8.1 ISO 27001:2013 C.8.1 Operation Operational planning and control Shared n/a The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are determined and controlled. link 21
mp.com.1 Secure perimeter mp.com.1 Secure perimeter 404 not found n/a n/a 56
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
NIST_SP_800-53_R4 SA-9 NIST_SP_800-53_R4_SA-9 NIST SP 800-53 Rev. 4 SA-9 System And Services Acquisition External Information System Services Shared n/a The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. Supplemental Guidance: External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. References: NIST Special Publication 800-35. link 4
NIST_SP_800-53_R5 SA-9 NIST_SP_800-53_R5_SA-9 NIST SP 800-53 Rev. 5 SA-9 System and Services Acquisition External System Services Shared n/a a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques]. link 4
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
op.ext.1 Contracting and service level agreements op.ext.1 Contracting and service level agreements 404 not found n/a n/a 35
op.ext.2 Daily management op.ext.2 Daily management 404 not found n/a n/a 15
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 53
op.nub.1 Cloud service protection op.nub.1 Cloud service protection 404 not found n/a n/a 34
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 127
PCI_DSS_v4.0 12.8.1 PCI_DSS_v4.0_12.8.1 PCI DSS v4.0 12.8.1 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided. link 1
PCI_DSS_v4.0 12.8.3 PCI_DSS_v4.0_12.8.3 PCI DSS v4.0 12.8.3 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. link 5
PCI_DSS_v4.0 12.8.4 PCI_DSS_v4.0_12.8.4 PCI DSS v4.0 12.8.4 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. link 8
PCI_DSS_v4.0 12.9.1 PCI_DSS_v4.0_12.9.1 PCI DSS v4.0 12.9.1 Requirement 12: Support Information Security with Organizational Policies and Programs Third-party service providers (TPSPs) support their customers’ PCI DSS compliance Shared n/a TPSPs acknowledge in writing to customers that they are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s CDE. link 3
PCI_DSS_v4.0 12.9.2 PCI_DSS_v4.0_12.9.2 PCI DSS v4.0 12.9.2 Requirement 12: Support Information Security with Organizational Policies and Programs Third-party service providers (TPSPs) support their customers’ PCI DSS compliance Shared n/a TPSPs support their customers’ requests for information to meet Requirements 12.8.4 and 12.8.5 by providing the following upon customer request: • PCI DSS compliance status information for any service the TPSP performs on behalf of customers (Requirement 12.8.4). • Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility of the customer, including any shared responsibilities (Requirement 12.8.5). link 3
SWIFT_CSCF_v2022 2.8.5 SWIFT_CSCF_v2022_2.8.5 SWIFT CSCF v2022 2.8.5 2. Reduce Attack Surface and Vulnerabilities Ensure a consistent and effective approach for the customers’ messaging monitoring. Shared n/a Ensure a consistent and effective approach for the customers’ messaging monitoring. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 4e45863d-9ea9-32b4-a204-2680bc6007a6
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC