last sync: 2024-Oct-04 17:51:30 UTC

Microsoft Managed Control 1608 - Supply Chain Protection | Regulatory Compliance - System and Services Acquisition

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1608 - Supply Chain Protection
Id b73b7b3b-677c-4a2a-b949-ad4dc4acd89f
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1608 / Microsoft Managed Control 1608
Category: System and Services Acquisition
Title: Supply Chain Protection
Ownership: Customer, Microsoft
Description: The organization protects against supply chain threats to the information system, system component, or information system service by employing standardized purchase orders, routine business reviews, performance metrics, QA checks, and other practices as described below. In addition, Microsoft processes, procedures, and technologies are IAW the intent of DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN). as part of a comprehensive, defense-in-breadth information security strategy.
Requirements: "One Microsoft" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure. Procurement During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach. Customer Operations Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence. Deployment Quality System integration or upon delivery of systems to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain. Supplier Relationship Management (SRM) As systems move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers’ supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach. Spares Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site up for our business. To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner. Business Continuity Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern. Asset Classification & Risk Assessments are determined by a "One Microsoft" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services. Logistics Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Validation Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter. Firmware Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level. Global Security Ecosystem Support Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third Party Assessment Organization (3PAO) penetration tests are part of the overall certifications. Industry Leadership The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia. Global Leadership & Partnerships Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1608 - Supply Chain Protection' (b73b7b3b-677c-4a2a-b949-ad4dc4acd89f)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
op.ext.3 Protection of supply chain op.ext.3 Protection of supply chain 404 not found n/a n/a 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC