compliance controls are associated with this Policy definition 'Govern compliance of cloud service providers' (5c33538e-02f8-0a7f-998b-a4c1e22076d3)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CM-6(1) |
FedRAMP_High_R4_CM-6(1) |
FedRAMP High CM-6 (1) |
Configuration Management |
Automated Central Management / Application / Verification |
Shared |
n/a |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
Supplemental Guidance: Related controls: CA-7, CM-4. |
link |
3 |
FedRAMP_Moderate_R4 |
CM-6(1) |
FedRAMP_Moderate_R4_CM-6(1) |
FedRAMP Moderate CM-6 (1) |
Configuration Management |
Automated Central Management / Application / Verification |
Shared |
n/a |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
Supplemental Guidance: Related controls: CA-7, CM-4. |
link |
3 |
hipaa |
0228.09k2Organizational.3-09.k |
hipaa-0228.09k2Organizational.3-09.k |
0228.09k2Organizational.3-09.k |
02 Endpoint Protection |
0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Rules for the migration of software from development to operational status are defined and documented by the organization hosting the affected application(s), including that development, test, and operational systems are separated (physically or virtually) to reduce the risks of unauthorized access or changes to the operational system. |
|
11 |
hipaa |
0603.06g2Organizational.1-06.g |
hipaa-0603.06g2Organizational.1-06.g |
0603.06g2Organizational.1-06.g |
06 Configuration Management |
0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
Automated compliance tools are used when possible. |
|
6 |
hipaa |
0618.09b1System.1-09.b |
hipaa-0618.09b1System.1-09.b |
0618.09b1System.1-09.b |
06 Configuration Management |
0618.09b1System.1-09.b 09.01 Documented Operating Procedures |
Shared |
n/a |
Changes to information assets, including systems, networks, and network services, are controlled and archived. |
|
16 |
hipaa |
0644.10k3Organizational.4-10.k |
hipaa-0644.10k3Organizational.4-10.k |
0644.10k3Organizational.4-10.k |
06 Configuration Management |
0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and, (iii) enforce access restrictions and auditing of the enforcement actions. |
|
20 |
hipaa |
0710.10m2Organizational.1-10.m |
hipaa-0710.10m2Organizational.1-10.m |
0710.10m2Organizational.1-10.m |
07 Vulnerability Management |
0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
A hardened configuration standard exists for all system and network components. |
|
9 |
hipaa |
1791.10a2Organizational.6-10.a |
hipaa-1791.10a2Organizational.6-10.a |
1791.10a2Organizational.6-10.a |
17 Risk Management |
1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Specifications for the security control requirements state automated controls will be incorporated in the information system, supplemented by manual controls as needed, as evidenced throughout the SDLC. |
|
5 |
ISO27001-2013 |
A.12.5.1 |
ISO27001-2013_A.12.5.1 |
ISO 27001:2013 A.12.5.1 |
Operations Security |
Installation of software on operational systems |
Shared |
n/a |
Procedures shall be implemented to control the installation of software on operational systems. |
link |
18 |
ISO27001-2013 |
A.12.6.2 |
ISO27001-2013_A.12.6.2 |
ISO 27001:2013 A.12.6.2 |
Operations Security |
Restrictions on software installation |
Shared |
n/a |
Rules governing the installation of software by users shall be established and implemented. |
link |
18 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
NIST_SP_800-171_R2_3 |
.4.2 |
NIST_SP_800-171_R2_3.4.2 |
NIST SP 800-171 R2 3.4.2 |
Configuration Management |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings. |
link |
25 |
NIST_SP_800-53_R4 |
CM-6(1) |
NIST_SP_800-53_R4_CM-6(1) |
NIST SP 800-53 Rev. 4 CM-6 (1) |
Configuration Management |
Automated Central Management / Application / Verification |
Shared |
n/a |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
Supplemental Guidance: Related controls: CA-7, CM-4. |
link |
3 |
NIST_SP_800-53_R5 |
CM-6(1) |
NIST_SP_800-53_R5_CM-6(1) |
NIST SP 800-53 Rev. 5 CM-6 (1) |
Configuration Management |
Automated Management, Application, and Verification |
Shared |
n/a |
Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. |
link |
3 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |