last sync: 2024-May-24 18:03:04 UTC

Microsoft Managed Control 1586 - External Information System Services | Regulatory Compliance - System and Services Acquisition

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1586 - External Information System Services
Id 6e3b2fbd-8f37-4766-a64d-3f37703dcb51
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1586 / Microsoft Managed Control 1586
Category: System and Services Acquisition
Title: External Information System Services - Compliance And Controls in Accordance with Federal Laws/Policies
Ownership: Customer, Microsoft
Description: The organization: Requires that providers of external information system services comply with organizational information security requirements and employ FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
Requirements: Azure is owned and operated by Microsoft; there are no external information system services involved in the delivery of Azure services. However, if Azure does utilize external information system services outside of the Azure authorization boundary, it ensures that they comply with the information security requirements. Subsequent changes are coordinated with the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required to determine if it signifies a major change; and update documentation and reauthorize as needed per direction from the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required. Additionally, Microsoft provides deliverables to the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required as part of continuous monitoring activities allowing sufficient Government oversight. Microsoft follows the standard process outlined below in the event it does utilize services outside of the Azure authorization boundary. Microsoft engages Vendor Agencies through Microsoft’s third party ordering tool, which is designed for third parties (Vendor Agencies) that have signed a Master Service Agreement (MSA) and/or have been approved by the Global Procurement Group (GPG) as an “Approved Vendor” in specific categories of work. GPG requires the third party to comply with all applicable Microsoft security policies and implement security procedures to prevent disclosure of Microsoft Confidential information. Microsoft includes provisions in the MSA and any associated Statements of Work (SOW) with each vendor addressing the need to employ appropriate security controls. Additionally, vendors that handle high business impact data must be in annual compliance with the Microsoft Vendor Privacy Assurance (VPA) program.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC