Name/Id: ACF1492 / Microsoft Managed Control 1492 Category: Planning Title: System Security Plan - Develop Plan Consistent with Enterprise Architecture Ownership: Customer, Microsoft Description: The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational environment for the information system and relationships with or connections to other information systems; Provides an overview of the security requirements for the system; Identifies any relevant overlays, if applicable; Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; Requirements: The Azure System Security Plan provides an overview of the security requirements for Azure and the systems and applications within. Additionally, it contains a description of the security controls that are in place to meet those requirements.
The Azure System Security Plan is created in accordance with NIST Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems based on the required template, which contains guidance on security planning. This includes accurately defining the Azure accreditation boundary, as well as describing the operational environment, the security controls that are applicable to the system, and the system interconnections.
The Azure System Security Plan documents the security categorization of the system based on the typical information being stored, processed or transmitted in Azure. The sponsor's Authorizing Official (AO) approves the System Security Plan as part of the package submission and granting of the Authority to Operate (ATO). This SSP:
* Explicitly defines the boundary of the system in sections 9 and 10 of this document.
* Provides an overview of the security and operational requirements for the system and a description of the security controls in place or planned for meeting those requirements in the Minimum Security Controls in section 13 of this document.
* Provides the overview of the infrastructure for storage that provides customers the capability to purchase, use, and/or deploy these offerings within Azure in sections 9 and 10. Customers configure their implementation of Storage using the Azure portal.
* Provides a security categorization of the system in section 2 based on the information being stored, processed, and transmitted. The system security categorization determination is based on the actual data stored, processed or transmitted by customers utilizing Azure services.
* Is aligned with the guidance contained in NIST SP 800-18 Revision 1, which contains guidance on security planning. This includes accurately defining Azure, as well as describing the operational environment and all security controls that are applicable to the system.
* Describes relationships with or connections to other information systems.
* Is reviewed and approved by the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators prior to plan implementation.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups