Microsoft implements this System and Services Acquisition control
Name/Id: ACF1569 / Microsoft Managed Control 1569 Category: System and Services Acquisition Title: Acquisition Process - Include Security Strength Requirements in Contract Ownership: Customer, Microsoft Description: The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements; Requirements: Microsoft requires all device security documentation and tests all security requirements and functions in lab/development environments before implemented in production. Whenever feasible, Microsoft has selected system components and products that have been evaluated on Common Criteria, FIPS (e.g., FIPS 140-2), Center for Information Security, Security Content Automation Protocol (SCAP) and other standards for deployment within Azure.
Microsoft engages only those third parties that have signed a contract and have been approved by the Procurement and Microsoft Corporate, External, and Legal Affairs (CELA) teams. In accordance with the MSSA, contracts require that the third party implement security procedures to prevent disclosure of Microsoft confidential information and provide all pertinent information describing the functional requirements or specifications of the security controls that are to be employed within the system. Additionally, third parties who have access to the Azure environment must employ a formal contract that defines the responsibilities and requirements for maintaining the security, confidentiality, integrity, and availability of the information assets involved with the contract.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups