last sync: 2024-Apr-24 17:46:58 UTC

Update POA&M items | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Update POA&M items
Id cc057769-01d9-95ad-a36f-1e62a7f9540b
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1157 - Update POA&M items
Additional metadata Name/Id: CMA_C1157 / CMA_C1157
Category: Documentation
Title: Update POA&M items
Ownership: Customer
Description: The customer is responsible for updating POA&M items defined in CA-05.a, which should include findings from security assessments, impact analyses, and continuous monitoring activities.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 26 compliance controls are associated with this Policy definition 'Update POA&M items' (cc057769-01d9-95ad-a36f-1e62a7f9540b)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CA-5 FedRAMP_High_R4_CA-5 FedRAMP High CA-5 Security Assessment And Authorization Plan Of Action And Milestones Shared n/a The organization: a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. References: OMB Memorandum 02-01; NIST Special Publication 800-37. link 2
FedRAMP_Moderate_R4 CA-5 FedRAMP_Moderate_R4_CA-5 FedRAMP Moderate CA-5 Security Assessment And Authorization Plan Of Action And Milestones Shared n/a The organization: a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. References: OMB Memorandum 02-01; NIST Special Publication 800-37. link 2
hipaa 0601.06g1Organizational.124-06.g hipaa-0601.06g1Organizational.124-06.g 0601.06g1Organizational.124-06.g 06 Configuration Management 0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a Annual compliance reviews are conducted by security or audit individuals using manual or automated tools; if non-compliance is found, appropriate action is taken. 6
hipaa 0602.06g1Organizational.3-06.g hipaa-0602.06g1Organizational.3-06.g 0602.06g1Organizational.3-06.g 06 Configuration Management 0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a The results and recommendations of the reviews are documented and approved by management. 10
hipaa 12102.09ab1Organizational.4-09.ab hipaa-12102.09ab1Organizational.4-09.ab 12102.09ab1Organizational.4-09.ab 12 Audit Logging & Monitoring 12102.09ab1Organizational.4-09.ab 09.10 Monitoring Shared n/a The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. 7
hipaa 1708.03c2Organizational.12-03.c hipaa-1708.03c2Organizational.12-03.c 1708.03c2Organizational.12-03.c 17 Risk Management 1708.03c2Organizational.12-03.c 03.01 Risk Management Program Shared n/a A risk treatment plan that identifies risks and nonconformities, corrective actions, resources, responsibilities and priorities for managing information security risks is regularly reviewed and updated. 2
ISO27001-2013 C.10.1.d ISO27001-2013_C.10.1.d ISO 27001:2013 C.10.1.d Improvement Nonconformity and corrective action Shared n/a When a nonconformity occurs, the organization shall: d) review the effectiveness of any corrective action taken. link 1
ISO27001-2013 C.10.1.e ISO27001-2013_C.10.1.e ISO 27001:2013 C.10.1.e Improvement Nonconformity and corrective action Shared n/a When a nonconformity occurs, the organization shall: e) make changes to the information security management system, if necessary. link 1
ISO27001-2013 C.10.1.f ISO27001-2013_C.10.1.f ISO 27001:2013 C.10.1.f Improvement Nonconformity and corrective action Shared n/a Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of: f) the nature of the nonconformities and any subsequent actions taken. link 3
ISO27001-2013 C.10.1.g ISO27001-2013_C.10.1.g ISO 27001:2013 C.10.1.g Improvement Nonconformity and corrective action Shared n/a Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of: g) the results of any corrective action. link 3
ISO27001-2013 C.6.1.1.e.2 ISO27001-2013_C.6.1.1.e.2 ISO 27001:2013 C.6.1.1.e.2 Planning General Shared n/a When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed. The organization shall plan: e) how to - 2) evaluate the effectiveness of these actions. link 3
ISO27001-2013 C.8.1 ISO27001-2013_C.8.1 ISO 27001:2013 C.8.1 Operation Operational planning and control Shared n/a The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are determined and controlled. link 21
ISO27001-2013 C.8.3 ISO27001-2013_C.8.3 ISO 27001:2013 C.8.3 Operation Information security risk treatment Shared n/a The organization shall implement the information security risk treatment plan. The organization shall retain documented information of the results of the information security risk treatment. link 4
ISO27001-2013 C.9.3.a ISO27001-2013_C.9.3.a ISO 27001:2013 C.9.3.a Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: a) the status of actions from previous management reviews; The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 5
ISO27001-2013 C.9.3.b ISO27001-2013_C.9.3.b ISO 27001:2013 C.9.3.b Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: b) changes in external and internal issues that are relevant to the information security management system. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 4
ISO27001-2013 C.9.3.c.1 ISO27001-2013_C.9.3.c.1 ISO 27001:2013 C.9.3.c.1 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 1) nonconformities and corrective actions. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 6
ISO27001-2013 C.9.3.c.2 ISO27001-2013_C.9.3.c.2 ISO 27001:2013 C.9.3.c.2 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 2) monitoring and measurement results. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 4
ISO27001-2013 C.9.3.c.3 ISO27001-2013_C.9.3.c.3 ISO 27001:2013 C.9.3.c.3 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 3) audit results. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 4
ISO27001-2013 C.9.3.c.4 ISO27001-2013_C.9.3.c.4 ISO 27001:2013 C.9.3.c.4 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 4) fulfilment of information security objectives; The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 4
ISO27001-2013 C.9.3.d ISO27001-2013_C.9.3.d ISO 27001:2013 C.9.3.d Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: d) feedback from interested parties; The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 3
ISO27001-2013 C.9.3.e ISO27001-2013_C.9.3.e ISO 27001:2013 C.9.3.e Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: e) results of risk assessment and status of risk treatment plan; and The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 3
ISO27001-2013 C.9.3.f ISO27001-2013_C.9.3.f ISO 27001:2013 C.9.3.f Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: f) opportunities for continual improvement. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 3
NIST_SP_800-171_R2_3 .12.2 NIST_SP_800-171_R2_3.12.2 NIST SP 800-171 R2 3.12.2 Security Assessment Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for plans of action. link 4
NIST_SP_800-53_R4 CA-5 NIST_SP_800-53_R4_CA-5 NIST SP 800-53 Rev. 4 CA-5 Security Assessment And Authorization Plan Of Action And Milestones Shared n/a The organization: a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. References: OMB Memorandum 02-01; NIST Special Publication 800-37. link 2
NIST_SP_800-53_R5 CA-5 NIST_SP_800-53_R5_CA-5 NIST SP 800-53 Rev. 5 CA-5 Assessment, Authorization, and Monitoring Plan of Action and Milestones Shared n/a a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. link 2
PCI_DSS_v4.0 12.4.2.1 PCI_DSS_v4.0_12.4.2.1 PCI DSS v4.0 12.4.2.1 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS compliance is managed Shared n/a Reviews conducted in accordance with Requirement 12.4.2 are documented to include: • Results of the reviews. • Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2. • Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. link 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add cc057769-01d9-95ad-a36f-1e62a7f9540b
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC