last sync: 2024-May-24 18:03:04 UTC

Microsoft Managed Control 1571 - Acquisitions Process | Regulatory Compliance - System and Services Acquisition

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1571 - Acquisitions Process
Id b11c985b-f2cd-4bd7-85f4-b52426edf905
Version 1.0.1
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1571 / Microsoft Managed Control 1571
Category: System and Services Acquisition
Title: Acquisition Process - Include Security-related Documentation Requirements in Contract
Ownership: Customer, Microsoft
Description: The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements;
Requirements: Azure implements the acquisitions control through enforcement of the Microsoft Security Policy. The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft’s online services’ information assets or information processing facilities, or (ii) add products or services to Microsoft’s online services’ information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the Microsoft Security Policy. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-04-01 20:29:14 change Patch (1.0.0 > 1.0.1)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC