last sync: 2024-Mar-27 18:49:11 UTC

Obtain continuous monitoring plan for security controls | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Obtain continuous monitoring plan for security controls
Id ca6d7878-3189-1833-4620-6c7254ed1607
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1577 - Obtain continuous monitoring plan for security controls
Additional metadata Name/Id: CMA_C1577 / CMA_C1577
Category: Documentation
Title: Obtain continuous monitoring plan for security controls
Ownership: Customer
Description: The customer is responsible for obtaining a plan for continuously monitoring security control effectiveness from the developer of the corresponding customer-deployed resource(s). Note: Microsoft Azure hosts the customer-deployed system. The customer can find a description of the security controls employed by Azure below.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 5 compliance controls are associated with this Policy definition 'Obtain continuous monitoring plan for security controls' (ca6d7878-3189-1833-4620-6c7254ed1607)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-4(8) FedRAMP_High_R4_SA-4(8) FedRAMP High SA-4 (8) System And Services Acquisition Continuous Monitoring Plan Shared n/a The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]. Supplemental Guidance: The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. link 1
FedRAMP_Moderate_R4 SA-4(8) FedRAMP_Moderate_R4_SA-4(8) FedRAMP Moderate SA-4 (8) System And Services Acquisition Continuous Monitoring Plan Shared n/a The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]. Supplemental Guidance: The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. link 1
NIST_SP_800-53_R4 SA-4(8) NIST_SP_800-53_R4_SA-4(8) NIST SP 800-53 Rev. 4 SA-4 (8) System And Services Acquisition Continuous Monitoring Plan Shared n/a The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]. Supplemental Guidance: The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. link 1
NIST_SP_800-53_R5 SA-4(8) NIST_SP_800-53_R5_SA-4(8) NIST SP 800-53 Rev. 5 SA-4 (8) System and Services Acquisition Continuous Monitoring Plan for Controls Shared n/a Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization. link 1
PCI_DSS_v4.0 12.8.4 PCI_DSS_v4.0_12.8.4 PCI DSS v4.0 12.8.4 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add ca6d7878-3189-1833-4620-6c7254ed1607
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC