| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1586 - External Information System Services | ||
| Id | 6e3b2fbd-8f37-4766-a64d-3f37703dcb51 | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Services Acquisition control | ||
| Additional metadata |
Name/Id: ACF1586 / Microsoft Managed Control 1586 Category: System and Services Acquisition Title: External Information System Services - Compliance And Controls in Accordance with Federal Laws/Policies Ownership: Customer, Microsoft Description: The organization: Requires that providers of external information system services comply with organizational information security requirements and employ FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; Requirements: Azure is owned and operated by Microsoft; there are no external information system services involved in the delivery of Azure services. However, if Azure does utilize external information system services outside of the Azure authorization boundary, it ensures that they comply with the information security requirements. Subsequent changes are coordinated with the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required to determine if it signifies a major change; and update documentation and reauthorize as needed per direction from the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required. Additionally, Microsoft provides deliverables to the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required as part of continuous monitoring activities allowing sufficient Government oversight. Microsoft follows the standard process outlined below in the event it does utilize services outside of the Azure authorization boundary. Microsoft engages Vendor Agencies through Microsoft’s third party ordering tool, which is designed for third parties (Vendor Agencies) that have signed a Master Service Agreement (MSA) and/or have been approved by the Global Procurement Group (GPG) as an “Approved Vendor” in specific categories of work. GPG requires the third party to comply with all applicable Microsoft security policies and implement security procedures to prevent disclosure of Microsoft Confidential information. Microsoft includes provisions in the MSA and any associated Statements of Work (SOW) with each vendor addressing the need to employ appropriate security controls. Additionally, vendors that handle high business impact data must be in annual compliance with the Microsoft Vendor Privacy Assurance (VPA) program. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|