last sync: 2024-Apr-19 17:43:58 UTC

Identify and authenticate non-organizational users | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Identify and authenticate non-organizational users
Id e1379836-3492-6395-451d-2f5062e14136
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1346 - Identify and authenticate non-organizational users
Additional metadata Name/Id: CMA_C1346 / CMA_C1346
Category: Operational
Title: Identify and authenticate non-organizational users
Ownership: Customer
Description: The customer is responsible for identifying and authenticating non-organizational users accessing customer-deployed resources.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 16 compliance controls are associated with this Policy definition 'Identify and authenticate non-organizational users' (e1379836-3492-6395-451d-2f5062e14136)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IA-8 FedRAMP_High_R4_IA-8 FedRAMP High IA-8 Identification And Authentication Identification And Authentication (Non- Organizational Users) Shared n/a The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). Supplemental Guidance: Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non- organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8. References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov. link 1
FedRAMP_Moderate_R4 IA-8 FedRAMP_Moderate_R4_IA-8 FedRAMP Moderate IA-8 Identification And Authentication Identification And Authentication (Non- Organizational Users) Shared n/a The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). Supplemental Guidance: Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non- organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8. References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov. link 1
hipaa 0861.09m2Organizational.67-09.m hipaa-0861.09m2Organizational.67-09.m 0861.09m2Organizational.67-09.m 08 Network Protection 0861.09m2Organizational.67-09.m 09.06 Network Security Management Shared n/a To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution, or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. 7
hipaa 0870.09m3Organizational.20-09.m hipaa-0870.09m3Organizational.20-09.m 0870.09m3Organizational.20-09.m 08 Network Protection 0870.09m3Organizational.20-09.m 09.06 Network Security Management Shared n/a Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. 8
hipaa 1006.01d2System.1-01.d hipaa-1006.01d2System.1-01.d 1006.01d2System.1-01.d 10 Password Management 1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems Shared n/a Passwords are not included in automated log-on processes. 5
hipaa 1122.01q1System.1-01.q hipaa-1122.01q1System.1-01.q 1122.01q1System.1-01.q 11 Access Control 1122.01q1System.1-01.q 01.05 Operating System Access Control Shared n/a Unique IDs that can be used to trace activities to the responsible individual are required for all types of organizational and non-organizational users. 7
hipaa 1424.05j2Organizational.5-05.j hipaa-1424.05j2Organizational.5-05.j 1424.05j2Organizational.5-05.j 14 Third Party Assurance 1424.05j2Organizational.5-05.j 05.02 External Parties Shared n/a The organization has a formal mechanism to authenticate the customer's identity prior to granting access to covered information. 8
ISO27001-2013 A.10.1.2 ISO27001-2013_A.10.1.2 ISO 27001:2013 A.10.1.2 Cryptography Key Management Shared n/a A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. link 15
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.9.1.2 ISO27001-2013_A.9.1.2 ISO 27001:2013 A.9.1.2 Access Control Access to networks and network services Shared n/a Users shall only be provided with access to the network and network services that they have been specifically authorized to use. link 29
ISO27001-2013 A.9.2.1 ISO27001-2013_A.9.2.1 ISO 27001:2013 A.9.2.1 Access Control User registration and de-registration Shared n/a A formal user registration and de-registration process shall be implemented to enable assignment of access rights. link 27
ISO27001-2013 A.9.4.2 ISO27001-2013_A.9.4.2 ISO 27001:2013 A.9.4.2 Access Control Secure log-on procedures Shared n/a Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. link 17
NIST_SP_800-53_R4 IA-8 NIST_SP_800-53_R4_IA-8 NIST SP 800-53 Rev. 4 IA-8 Identification And Authentication Identification And Authentication (Non- Organizational Users) Shared n/a The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). Supplemental Guidance: Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non- organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8. References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov. link 1
NIST_SP_800-53_R5 IA-8 NIST_SP_800-53_R5_IA-8 NIST SP 800-53 Rev. 5 IA-8 Identification and Authentication Identification and Authentication (non-organizational Users) Shared n/a Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. link 1
PCI_DSS_v4.0 8.2.7 PCI_DSS_v4.0_8.2.7 PCI DSS v4.0 8.2.7 Requirement 08: Identify Users and Authenticate Access to System Components User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle Shared n/a Accounts used by third parties to access, support, or maintain system components via remote access are managed as follows: • Enabled only during the time period needed and disabled when not in use. • Use is monitored for unexpected activity. link 6
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add e1379836-3492-6395-451d-2f5062e14136
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC