last sync: 2024-Jun-13 18:14:14 UTC

Microsoft Managed Control 1047 - System Use Notification | Regulatory Compliance - Access Control

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1047 - System Use Notification
Id e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Access Control control
Additional metadata Name/Id: ACF1047 / Microsoft Managed Control 1047
Category: Access Control
Title: System Use Notification - U.S. Government System
Ownership: Customer, Microsoft
Description: The information system: Displays to usersystem use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be monitored, recorded, and subject to audit; Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and Use of the information system indicates consent to monitoring and recording. This control is not applicable in the information system.
Requirements: All access methods into the Azure production environment include a warning banner prior to administrative login to all servers and network devices. There are two approved messages reviewed by Microsoft Corporate, External, and Legal Affairs (CELA). The first states: "You are accessing an information system that may contain U.S. Government data. System usage may be monitored, recorded, and subject to audit. Unauthorized use of the system is prohibited and may be subject to criminal and civil penalties. Use of the system indicates consent to monitoring and recording. Administrative personnel remotely accessing the Azure environment: * Maintain their remote computer in a secure manner, in accordance with organizational security policies and procedures as defined in Microsoft Remote Connectivity Security Policies. * Only access the Azure environment in execution of operational, deployment, and support responsibilities using only administrative applications or tools directly related to performing these responsibilities. * Are advised to not knowingly store, transfer into, or process in the Azure environment data exceeding a FIPS 199 High security categorization (FISMA Controlled Unclassified Information)." An alternate approved wording states: "You are accessing an information system that may contain U.S. Government data. System usage may be monitored, recorded, and subject to audit. Unauthorized use of the system is prohibited and may be subject to criminal and civil penalties. Use of the system indicates consent to monitoring and recording. Administrative personnel remotely accessing the Azure environment: (1) shall maintain their remote computer in a secure manner, in accordance with organizational security policies and procedures as defined in Microsoft Remote Connectivity Security Policies; (2) shall only access the Azure environment in execution of operational, deployment, and support responsibilities using only administrative applications or tools directly related to performing these responsibilities; and (3) shall not knowingly store, transfer into, or process in the Azure environment data exceeding a FIPS 199 Moderate security categorization (FISMA Controlled Unclassified Information)." A warning message is also presented to users requesting JIT elevation at the JIT access portal, prior to obtaining elevated permissions. This message states: Warning You are accessing an information system that may contain sensitive data. System usage may be monitored, recorded, and subject to audit. Unauthorized use of the system is prohibited and may be subject to criminal and civil penalties. Use of the system indicates consent to monitoring and recording. Administrative personnel remotely accessing the Azure environment shall maintain their remote computer in a secure manner in accordance with organizational security policies and procedures as defined in the Microsoft Remote Connectivity Security Policies.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC