AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

Microsoft Managed Control 1647 - Use of Cryptography | Regulatory Compliance - System and Communications Protection

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1647 - Use of Cryptography
Id 791cfc15-6974-42a0-9f4c-2d4b82f4a78c
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Communications Protection control
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.0.0'
Repository: Azure-Policy 791cfc15-6974-42a0-9f4c-2d4b82f4a78c
Additional metadata Name/Id: ACF1647 / Microsoft Managed Control 1647
Category: System and Communications Protection
Title: Use of Cryptography
Ownership: Customer, Microsoft
Description: The information system implements FIPS-validated cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Requirements: Encryption mechanisms and techniques used by the Azure service teams follow the requirements and restrictions outlined in the Microsoft Key Management Standard, Microsoft Operational Encryption Standard, Azure Cryptographic Controls Standard Operating Procedure. The Microsoft Key Management Standard applies to the operation of all Microsoft’s online services’ systems residing within Azure utilizing cryptographic mechanisms for securing data or systems. This standard applies to all environments managed by Azure, including labs, production, and pre-production. Azure implements cryptography through encryption mechanisms and techniques following the requirements outlined in the Cryptographic Controls of the Microsoft Security Program Policy (MSPP). FIPS 140-2 validated cryptographic modules are used to support compliance with federal laws, executive orders, directives, policies, regulations, and standards. Additional information can be found at the link below: Specific encryption modules being used and the certificates for the server baselines can be found at and are identified below, using the Certificate Number and Module Name.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Compliance
The following 2 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1647 - Use of Cryptography' (791cfc15-6974-42a0-9f4c-2d4b82f4a78c)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
NIS2 AM._Asset_Management_9 NIS2_AM._Asset_Management_9 NIS2_AM._Asset_Management_9 AM. Asset Management Human resources security, access control policies and asset management n/a The cybersecurity risk-management measures should therefore also address the physical and environmental security of network and information systems by including measures to protect such systems from system failures, human error, malicious acts or natural phenomena, in line with European and international standards, such as those included in the ISO/IEC 27000 series. In that regard, essential and important entities should, as part of their cybersecurity risk-management measures, also address human resources security and have in place appropriate access control policies. Those measures should be consistent with Directive (EU) 2022/2557. 28
NIS2 DP._Data_Protection_8 NIS2_DP._Data_Protection_8 NIS2_DP._Data_Protection_8 DP. Data Protection Policies and procedures regarding the use of cryptography and, where appropriate, encryption n/a In order to safeguard the security of public electronic communications networks and publicly available electronic communications services, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services in accordance with the principles of security and privacy by default and by design for the purposes of this Directive. The use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications. 32
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: NIS2 32ff9e30-4725-4ca7-ba3a-904a7721ee87 Regulatory Compliance Preview BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-04-01 20:29:14 change Patch (1.0.0 > 1.0.1)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC