last sync: 2023-Sep-29 17:58:48 UTC

Azure Policy definition

Microsoft Managed Control 1569 - Acquisitions Process | Regulatory Compliance - System and Services Acquisition

Source Azure Portal
Display name Microsoft Managed Control 1569 - Acquisitions Process
Id ad2f8e61-a564-4dfd-8eaa-816f5be8cb34
Version 1.0.1
details on versioning
Category Regulatory Compliance
Microsoft docs
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1569 / Microsoft Managed Control 1569
Category: System and Services Acquisition
Title: Acquisition Process - Include Security Strength Requirements in Contract
Ownership: Customer, Microsoft
Description: The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements;
Requirements: Microsoft requires all device security documentation and tests all security requirements and functions in lab/development environments before implemented in production. Whenever feasible, Microsoft has selected system components and products that have been evaluated on Common Criteria, FIPS (e.g., FIPS 140-2), Center for Information Security, Security Content Automation Protocol (SCAP) and other standards for deployment within Azure. Microsoft engages only those third parties that have signed a contract and have been approved by the Procurement and Microsoft Corporate, External, and Legal Affairs (CELA) teams. In accordance with the MSSA, contracts require that the third party implement security procedures to prevent disclosure of Microsoft confidential information and provide all pertinent information describing the functional requirements or specifications of the security controls that are to be employed within the system. Additionally, third parties who have access to the Azure environment must employ a formal contract that defines the responsibilities and requirements for maintaining the security, confidentiality, integrity, and availability of the information assets involved with the contract.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Compliance Not a Compliance control
Initiatives usage none
Date/Time (UTC ymd) (i) Change type Change detail
2022-04-01 20:29:14 change Patch (1.0.0 > 1.0.1)
JSON compare
compare mode: version left: version right: