last sync: 2024-Jun-24 18:15:26 UTC

Automate flaw remediation | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Automate flaw remediation
Id a90c4d44-7fac-8e02-6d5b-0d92046b20e6
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0027 - Automate flaw remediation
Additional metadata Name/Id: CMA_0027 / CMA_0027
Category: Operational
Title: Automate flaw remediation
Ownership: Customer
Description: Microsoft recommends that your organization create System and Information Integrity policies and standard operating procedures that include the implementation of automated mechanisms to periodically determine the state of information system components regarding flaw remediation and system updates. Additionally, it is recommended that your organization document and implement a process to confirm successful deployment of security patches and resolution of update failures.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Automate flaw remediation' (a90c4d44-7fac-8e02-6d5b-0d92046b20e6)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SI-2(2) FedRAMP_High_R4_SI-2(2) FedRAMP High SI-2 (2) System And Information Integrity Automated Flaw Remediation Status Shared n/a The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. Supplemental Guidance: Related controls: CM-6, SI-4. link 2
FedRAMP_Moderate_R4 SI-2(2) FedRAMP_Moderate_R4_SI-2(2) FedRAMP Moderate SI-2 (2) System And Information Integrity Automated Flaw Remediation Status Shared n/a The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. Supplemental Guidance: Related controls: CM-6, SI-4. link 2
hipaa 0713.10m2Organizational.5-10.m hipaa-0713.10m2Organizational.5-10.m 0713.10m2Organizational.5-10.m 07 Vulnerability Management 0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management Shared n/a Patches are tested and evaluated before they are installed. 5
hipaa 0718.10m3Organizational.34-10.m hipaa-0718.10m3Organizational.34-10.m 0718.10m3Organizational.34-10.m 07 Vulnerability Management 0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management Shared n/a The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically), and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. 4
hipaa 0787.10m2Organizational.14-10.m hipaa-0787.10m2Organizational.14-10.m 0787.10m2Organizational.14-10.m 07 Vulnerability Management 0787.10m2Organizational.14-10.m 10.06 Technical Vulnerability Management Shared n/a Patches installed in the production environment are also installed in the organization's disaster recovery environment in a timely manner. 4
hipaa 1791.10a2Organizational.6-10.a hipaa-1791.10a2Organizational.6-10.a 1791.10a2Organizational.6-10.a 17 Risk Management 1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems Shared n/a Specifications for the security control requirements state automated controls will be incorporated in the information system, supplemented by manual controls as needed, as evidenced throughout the SDLC. 5
NIST_SP_800-53_R4 SI-2(2) NIST_SP_800-53_R4_SI-2(2) NIST SP 800-53 Rev. 4 SI-2 (2) System And Information Integrity Automated Flaw Remediation Status Shared n/a The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. Supplemental Guidance: Related controls: CM-6, SI-4. link 2
NIST_SP_800-53_R5 SI-2(2) NIST_SP_800-53_R5_SI-2(2) NIST SP 800-53 Rev. 5 SI-2 (2) System and Information Integrity Automated Flaw Remediation Status Shared n/a Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add a90c4d44-7fac-8e02-6d5b-0d92046b20e6
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC