last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Implement controls to secure all media

Name Implement controls to secure all media
Azure Portal
Id e435f7e3-0dd9-58c9-451f-9b44b96c0232
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0314 - Implement controls to secure all media
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 143 compliance controls are associated with this Policy definition 'Implement controls to secure all media' (e435f7e3-0dd9-58c9-451f-9b44b96c0232)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 2.11 CIS_Azure_1.1.0_2.11 CIS Microsoft Azure Foundations Benchmark recommendation 2.11 2 Security Center Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable storage encryption recommendations. link 4
CIS_Azure_1.1.0 2.15 CIS_Azure_1.1.0_2.15 CIS Microsoft Azure Foundations Benchmark recommendation 2.15 2 Security Center Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable SQL encryption recommendations. link 5
CIS_Azure_1.1.0 2.6 CIS_Azure_1.1.0_2.6 CIS Microsoft Azure Foundations Benchmark recommendation 2.6 2 Security Center Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Disk encryption recommendations for virtual machines. link 5
CIS_Azure_1.1.0 4.10 CIS_Azure_1.1.0_4.10 CIS Microsoft Azure Foundations Benchmark recommendation 4.10 4 Database Services Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) Shared The customer is responsible for implementing this recommendation. TDE with BYOK support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with BYOK support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (BYOK). link 6
CIS_Azure_1.1.0 4.9 CIS_Azure_1.1.0_4.9 CIS Microsoft Azure Foundations Benchmark recommendation 4.9 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_1.1.0 7.1 CIS_Azure_1.1.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure that 'OS disk' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) are encrypted, where possible. link 5
CIS_Azure_1.1.0 7.2 CIS_Azure_1.1.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'Data disks' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that data disks (non-boot volumes) are encrypted, where possible. link 5
CIS_Azure_1.1.0 7.3 CIS_Azure_1.1.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted. link 4
CIS_Azure_1.3.0 3.9 CIS_Azure_1.3.0_3.9 CIS Microsoft Azure Foundations Benchmark recommendation 3.9 3 Storage Accounts Ensure storage for critical data are encrypted with Customer Managed Key Shared The customer is responsible for implementing this recommendation. Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys link 5
CIS_Azure_1.3.0 4.1.2 CIS_Azure_1.3.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_1.3.0 4.5 CIS_Azure_1.3.0_4.5 CIS Microsoft Azure Foundations Benchmark recommendation 4.5 4 Database Services Ensure SQL server's TDE protector is encrypted with Customer-managed key Shared The customer is responsible for implementing this recommendation. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). link 6
CIS_Azure_1.3.0 7.2 CIS_Azure_1.3.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'OS and Data' disks are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. link 5
CIS_Azure_1.3.0 7.3 CIS_Azure_1.3.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). link 4
CIS_Azure_1.3.0 7.7 CIS_Azure_1.3.0_7.7 CIS Microsoft Azure Foundations Benchmark recommendation 7.7 7 Virtual Machines Ensure that VHD's are encrypted Shared The customer is responsible for implementing this recommendation. VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. link 4
CIS_Azure_1.4.0 3.9 CIS_Azure_1.4.0_3.9 CIS Microsoft Azure Foundations Benchmark recommendation 3.9 3 Storage Accounts Ensure Storage for Critical Data are Encrypted with Customer Managed Keys Shared The customer is responsible for implementing this recommendation. Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys link 5
CIS_Azure_1.4.0 4.1.2 CIS_Azure_1.4.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4 Database Services Ensure that 'Data encryption' is set to 'On' on a SQL Database Shared The customer is responsible for implementing this recommendation. Enable Transparent Data Encryption on every SQL server. link 5
CIS_Azure_1.4.0 4.3.8 CIS_Azure_1.4.0_4.3.8 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 4 Database Services Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable encryption at rest for PostgreSQL Databases. link 4
CIS_Azure_1.4.0 4.6 CIS_Azure_1.4.0_4.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.6 4 Database Services Ensure SQL server's TDE protector is encrypted with Customer-managed key Shared The customer is responsible for implementing this recommendation. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Key Vault. Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data, for additional security. Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). link 6
CIS_Azure_1.4.0 7.2 CIS_Azure_1.4.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Virtual Machines Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) Shared The customer is responsible for implementing this recommendation. Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE) link 5
CIS_Azure_1.4.0 7.3 CIS_Azure_1.4.0_7.3 CIS Microsoft Azure Foundations Benchmark recommendation 7.3 7 Virtual Machines Ensure that 'Unattached disks' are encrypted with CMK Shared The customer is responsible for implementing this recommendation. Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). link 4
CIS_Azure_1.4.0 7.7 CIS_Azure_1.4.0_7.7 CIS Microsoft Azure Foundations Benchmark recommendation 7.7 7 Virtual Machines Ensure that VHD's are Encrypted Shared The customer is responsible for implementing this recommendation. VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. link 4
FedRAMP_High_R4 AC-20(2) FedRAMP_High_R4_AC-20(2) FedRAMP High AC-20 (2) Access Control Portable Storage Devices Shared n/a The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. link 3
FedRAMP_High_R4 CP-9 FedRAMP_High_R4_CP-9 FedRAMP High CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
FedRAMP_High_R4 MA-2 FedRAMP_High_R4_MA-2 FedRAMP High MA-2 Maintenance Controlled Maintenance Shared n/a The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. References: None. link 4
FedRAMP_High_R4 MA-3(3) FedRAMP_High_R4_MA-3(3) FedRAMP High MA-3 (3) Maintenance Prevent Unauthorized Removal Shared n/a The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. link 4
FedRAMP_High_R4 MA-5(1) FedRAMP_High_R4_MA-5(1) FedRAMP High MA-5 (1) Maintenance Individuals Without Appropriate Access Shared n/a The organization: (a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. Supplemental Guidance: This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. link 2
FedRAMP_High_R4 MP-2 FedRAMP_High_R4_MP-2 FedRAMP High MP-2 Media Protection Media Access Shared n/a The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. link 1
FedRAMP_High_R4 MP-3 FedRAMP_High_R4_MP-3 FedRAMP High MP-3 Media Protection Media Marking Shared n/a The organization: a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. Supplemental Guidance: The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. Control Enhancements: None. References: FIPS Publication 199. link 1
FedRAMP_High_R4 MP-4 FedRAMP_High_R4_MP-4 FedRAMP High MP-4 Media Protection Media Storage Shared n/a The organization: a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. References: FIPS Publication 199; NIST Special Publications 800-56, 800-57, 800-111. link 2
FedRAMP_High_R4 MP-5 FedRAMP_High_R4_MP-5 FedRAMP High MP-5 Media Protection Media Transport Shared n/a The organization: a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; b. Maintains accountability for information system media during transport outside of controlled areas; c. Documents activities associated with the transport of information system media; and d. Restricts the activities associated with the transport of information system media to authorized personnel. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
FedRAMP_High_R4 MP-5(4) FedRAMP_High_R4_MP-5(4) FedRAMP High MP-5 (4) Media Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Supplemental Guidance: This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
FedRAMP_High_R4 MP-6 FedRAMP_High_R4_MP-6 FedRAMP High MP-6 Media Protection Media Sanitization Shared n/a The organization: a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization- defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. Supplemental Guidance: This control applies to all information system media, both digital and non- digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. References: FIPS Publication 199; NIST Special Publications 800-60, 800-88; Web: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml. link 2
FedRAMP_High_R4 MP-6(1) FedRAMP_High_R4_MP-6(1) FedRAMP High MP-6 (1) Media Protection Review / Approve / Track / Document / Verify Shared n/a The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. Supplemental Guidance: Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. link 2
FedRAMP_High_R4 MP-6(2) FedRAMP_High_R4_MP-6(2) FedRAMP High MP-6 (2) Media Protection Equipment Testing Shared n/a The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. Supplemental Guidance: Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers). link 2
FedRAMP_High_R4 MP-7 FedRAMP_High_R4_MP-7 FedRAMP High MP-7 Media Protection Media Use Shared n/a The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. References: None. link 4
FedRAMP_High_R4 MP-7(1) FedRAMP_High_R4_MP-7(1) FedRAMP High MP-7 (1) Media Protection Prohibit Use Without Owner Shared n/a The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. link 4
FedRAMP_High_R4 SC-28(1) FedRAMP_High_R4_SC-28(1) FedRAMP High SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 17
FedRAMP_Moderate_R4 AC-20(2) FedRAMP_Moderate_R4_AC-20(2) FedRAMP Moderate AC-20 (2) Access Control Portable Storage Devices Shared n/a The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. link 3
FedRAMP_Moderate_R4 CP-9 FedRAMP_Moderate_R4_CP-9 FedRAMP Moderate CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
FedRAMP_Moderate_R4 MA-2 FedRAMP_Moderate_R4_MA-2 FedRAMP Moderate MA-2 Maintenance Controlled Maintenance Shared n/a The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. References: None. link 4
FedRAMP_Moderate_R4 MA-3(3) FedRAMP_Moderate_R4_MA-3(3) FedRAMP Moderate MA-3 (3) Maintenance Prevent Unauthorized Removal Shared n/a The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. link 4
FedRAMP_Moderate_R4 MA-5(1) FedRAMP_Moderate_R4_MA-5(1) FedRAMP Moderate MA-5 (1) Maintenance Individuals Without Appropriate Access Shared n/a The organization: (a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. Supplemental Guidance: This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. link 2
FedRAMP_Moderate_R4 MP-2 FedRAMP_Moderate_R4_MP-2 FedRAMP Moderate MP-2 Media Protection Media Access Shared n/a The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. link 1
FedRAMP_Moderate_R4 MP-3 FedRAMP_Moderate_R4_MP-3 FedRAMP Moderate MP-3 Media Protection Media Marking Shared n/a The organization: a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. Supplemental Guidance: The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. Control Enhancements: None. References: FIPS Publication 199. link 1
FedRAMP_Moderate_R4 MP-4 FedRAMP_Moderate_R4_MP-4 FedRAMP Moderate MP-4 Media Protection Media Storage Shared n/a The organization: a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. References: FIPS Publication 199; NIST Special Publications 800-56, 800-57, 800-111. link 2
FedRAMP_Moderate_R4 MP-5 FedRAMP_Moderate_R4_MP-5 FedRAMP Moderate MP-5 Media Protection Media Transport Shared n/a The organization: a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; b. Maintains accountability for information system media during transport outside of controlled areas; c. Documents activities associated with the transport of information system media; and d. Restricts the activities associated with the transport of information system media to authorized personnel. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
FedRAMP_Moderate_R4 MP-5(4) FedRAMP_Moderate_R4_MP-5(4) FedRAMP Moderate MP-5 (4) Media Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Supplemental Guidance: This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
FedRAMP_Moderate_R4 MP-6 FedRAMP_Moderate_R4_MP-6 FedRAMP Moderate MP-6 Media Protection Media Sanitization Shared n/a The organization: a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization- defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. Supplemental Guidance: This control applies to all information system media, both digital and non- digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. References: FIPS Publication 199; NIST Special Publications 800-60, 800-88; Web: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml. link 2
FedRAMP_Moderate_R4 MP-6(2) FedRAMP_Moderate_R4_MP-6(2) FedRAMP Moderate MP-6 (2) Media Protection Equipment Testing Shared n/a The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. Supplemental Guidance: Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers). link 2
FedRAMP_Moderate_R4 MP-7 FedRAMP_Moderate_R4_MP-7 FedRAMP Moderate MP-7 Media Protection Media Use Shared n/a The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. References: None. link 4
FedRAMP_Moderate_R4 MP-7(1) FedRAMP_Moderate_R4_MP-7(1) FedRAMP Moderate MP-7 (1) Media Protection Prohibit Use Without Owner Shared n/a The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. link 4
FedRAMP_Moderate_R4 SC-28(1) FedRAMP_Moderate_R4_SC-28(1) FedRAMP Moderate SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 17
hipaa 0301.09o1Organizational.123-09.o hipaa-0301.09o1Organizational.123-09.o 0301.09o1Organizational.123-09.o 03 Portable Media Security 0301.09o1Organizational.123-09.o 09.07 Media Handling Shared n/a The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. 14
hipaa 0302.09o2Organizational.1-09.o hipaa-0302.09o2Organizational.1-09.o 0302.09o2Organizational.1-09.o 03 Portable Media Security 0302.09o2Organizational.1-09.o 09.07 Media Handling Shared n/a The organization protects and controls media containing sensitive information during transport outside of controlled areas. 7
hipaa 0303.09o2Organizational.2-09.o hipaa-0303.09o2Organizational.2-09.o 0303.09o2Organizational.2-09.o 03 Portable Media Security 0303.09o2Organizational.2-09.o 09.07 Media Handling Shared n/a Digital and non-digital media requiring restricted use, and the specific safeguards used to restrict their use are identified. 6
hipaa 0304.09o3Organizational.1-09.o hipaa-0304.09o3Organizational.1-09.o 0304.09o3Organizational.1-09.o 03 Portable Media Security 0304.09o3Organizational.1-09.o 09.07 Media Handling Shared n/a The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. 8
hipaa 0305.09q1Organizational.12-09.q hipaa-0305.09q1Organizational.12-09.q 0305.09q1Organizational.12-09.q 03 Portable Media Security 0305.09q1Organizational.12-09.q 09.07 Media Handling Shared n/a Media is labeled, encrypted, and handled according to its classification. 7
hipaa 0306.09q1Organizational.3-09.q hipaa-0306.09q1Organizational.3-09.q 0306.09q1Organizational.3-09.q 03 Portable Media Security 0306.09q1Organizational.3-09.q 09.07 Media Handling Shared n/a The status and location of unencrypted covered information is maintained and monitored. 6
hipaa 0308.09q3Organizational.1-09.q hipaa-0308.09q3Organizational.1-09.q 0308.09q3Organizational.1-09.q 03 Portable Media Security 0308.09q3Organizational.1-09.q 09.07 Media Handling Shared n/a Inventory and disposition records of media are maintained. 3
hipaa 0314.09q3Organizational.2-09.q hipaa-0314.09q3Organizational.2-09.q 0314.09q3Organizational.2-09.q 03 Portable Media Security 0314.09q3Organizational.2-09.q 09.07 Media Handling Shared n/a The organization implements cryptographic mechanisms to protect the confidentiality and integrity of sensitive (non-public) information stored on digital media during transport outside of controlled areas. 9
hipaa 0403.01x1System.8-01.x hipaa-0403.01x1System.8-01.x 0403.01x1System.8-01.x 04 Mobile Device Security 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization monitors for unauthorized connections of mobile devices. 7
hipaa 0408.01y3Organizational.12-01.y hipaa-0408.01y3Organizational.12-01.y 0408.01y3Organizational.12-01.y 04 Mobile Device Security 0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking Shared n/a Prior to authorizing teleworking, (i) the organization provides a definition of the work permitted, standard operating hours, classification of information that may be held/stored, and the internal systems and services that the teleworker is authorized to access; (ii) suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment not under the control of the organization is forbidden; (iii) suitable communications equipment, including methods for securing remote access; (iv) rules and guidance on family and visitor access to equipment and information; (v) hardware and software support and maintenance; (vi) procedures for back-up and business continuity; (vii) a means for teleworkers to communicate with information security personnel in case of security incidents or problems; and, (viii) audit and security monitoring. 5
hipaa 0415.01y1Organizational.10-01.y hipaa-0415.01y1Organizational.10-01.y 0415.01y1Organizational.10-01.y 04 Mobile Device Security 0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking Shared n/a Suitable protections of the teleworking site are in place to protect against the theft of equipment and information, the unauthorized disclosure of information, and unauthorized remote access to the organization's internal systems or misuse of facilities. 5
hipaa 0426.01x2System.1-01.x hipaa-0426.01x2System.1-01.x 0426.01x2System.1-01.x 04 Mobile Device Security 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking Shared n/a A centralized, mobile device management solution has been deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data, enforcing built-in detective and preventative controls. 7
hipaa 0429.01x1System.14-01.x hipaa-0429.01x1System.14-01.x 0429.01x1System.14-01.x 04 Mobile Device Security 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). 7
hipaa 0505.09m2Organizational.3-09.m hipaa-0505.09m2Organizational.3-09.m 0505.09m2Organizational.3-09.m 05 Wireless Security 0505.09m2Organizational.3-09.m 09.06 Network Security Management Shared n/a Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. 8
hipaa 08101.09m2Organizational.14-09.m hipaa-08101.09m2Organizational.14-09.m 08101.09m2Organizational.14-09.m 08 Network Protection 08101.09m2Organizational.14-09.m 09.06 Network Security Management Shared n/a The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. 8
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
ISO27001-2013 A.11.2.4 ISO27001-2013_A.11.2.4 ISO 27001:2013 A.11.2.4 Physical And Environmental Security Equipment maintenance Shared n/a Equipment shall be correctly maintained to ensure its continued availability and integrity. link 9
ISO27001-2013 A.11.2.5 ISO27001-2013_A.11.2.5 ISO 27001:2013 A.11.2.5 Physical And Environmental Security Removal of assets Shared n/a Equipment, information or software shall not be taken off-site without prior authorization. link 6
ISO27001-2013 A.11.2.6 ISO27001-2013_A.11.2.6 ISO 27001:2013 A.11.2.6 Physical And Environmental Security Security of equipment and assets off-premises Shared n/a Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. link 10
ISO27001-2013 A.11.2.7 ISO27001-2013_A.11.2.7 ISO 27001:2013 A.11.2.7 Physical And Environmental Security Secure disposal or re-use of equipment Shared n/a All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. link 5
ISO27001-2013 A.11.2.9 ISO27001-2013_A.11.2.9 ISO 27001:2013 A.11.2.9 Physical And Environmental Security Clear desk and clear screen policy Shared n/a A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. link 3
ISO27001-2013 A.12.3.1 ISO27001-2013_A.12.3.1 ISO 27001:2013 A.12.3.1 Operations Security Information backup Shared n/a Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. link 13
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.17.1.2 ISO27001-2013_A.17.1.2 ISO 27001:2013 A.17.1.2 Information Security Aspects Of Business Continuity Management Implementing information security continuity Shared n/a The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. link 18
ISO27001-2013 A.18.1.3 ISO27001-2013_A.18.1.3 ISO 27001:2013 A.18.1.3 Compliance Protection of records Shared n/a Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. link 15
ISO27001-2013 A.8.1.2 ISO27001-2013_A.8.1.2 ISO 27001:2013 A.8.1.2 Asset Management Ownership of assets Shared n/a Assets maintained in the inventory shall be owned. link 7
ISO27001-2013 A.8.2.2 ISO27001-2013_A.8.2.2 ISO 27001:2013 A.8.2.2 Asset Management Labelling of information Shared n/a An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 4
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
ISO27001-2013 A.8.3.1 ISO27001-2013_A.8.3.1 ISO 27001:2013 A.8.3.1 Asset Management Management of removable media Shared n/a Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. link 6
ISO27001-2013 A.8.3.2 ISO27001-2013_A.8.3.2 ISO 27001:2013 A.8.3.2 Asset Management Disposal of media Shared n/a Media shall be disposed of securely and safely when no longer required, using formal procedures. link 2
ISO27001-2013 A.8.3.3 ISO27001-2013_A.8.3.3 ISO 27001:2013 A.8.3.3 Asset Management Physical media transfer Shared n/a Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. link 2
NIST_SP_800-171_R2_3 .1.21 NIST_SP_800-171_R2_3.1.21 NIST SP 800-171 R2 3.1.21 Access Control Limit use of portable storage devices on external systems. Shared Microsoft is responsible for implementing this requirement. Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system. link 3
NIST_SP_800-171_R2_3 .13.16 NIST_SP_800-171_R2_3.13.16 NIST SP 800-171 R2 3.13.16 System and Communications Protection Protect the confidentiality of CUI at rest. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO]. link 19
NIST_SP_800-171_R2_3 .7.2 NIST_SP_800-171_R2_3.7.2 NIST SP 800-171 R2 3.7.2 Maintenance Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers. link 4
NIST_SP_800-171_R2_3 .7.3 NIST_SP_800-171_R2_3.7.3 NIST SP 800-171 R2 3.7.3 Maintenance Ensure equipment removed for off-site maintenance is sanitized of any CUI. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). [SP 800-88] provides guidance on media sanitization. link 3
NIST_SP_800-171_R2_3 .8.1 NIST_SP_800-171_R2_3.8.1 NIST SP 800-171 R2 3.8.1 Media Protection Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. Shared Microsoft is responsible for implementing this requirement. System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library. Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. [SP 800-111] provides guidance on storage encryption technologies for end user devices. link 2
NIST_SP_800-171_R2_3 .8.2 NIST_SP_800-171_R2_3.8.2 NIST SP 800-171 R2 3.8.2 Media Protection Limit access to CUI on system media to authorized users Shared Microsoft is responsible for implementing this requirement. Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library. link 2
NIST_SP_800-171_R2_3 .8.3 NIST_SP_800-171_R2_3.8.3 NIST SP 800-171 R2 3.8.3 Media Protection Sanitize or destroy system media containing CUI before disposal or release for reuse. Shared Microsoft is responsible for implementing this requirement. This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization. Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing CUI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for controlled unclassified information. [SP 800-88] provides guidance on media sanitization. link 2
NIST_SP_800-171_R2_3 .8.4 NIST_SP_800-171_R2_3.8.4 NIST SP 800-171 R2 3.8.4 Media Protection Mark media with necessary CUI markings and distribution limitations.[27] Shared Microsoft is responsible for implementing this requirement. The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations. See [NARA MARK]. [27] The implementation of this requirement is per marking guidance in [32 CFR 2002] and [NARA CUI]. Standard Form (SF) 902 (approximate size 2.125” x 1.25”) and SF 903 (approximate size 2.125” x .625”) can be used on media that contains CUI such as hard drives, or USB devices. Both forms are available from https://www.gsaadvantage.gov. link 1
NIST_SP_800-171_R2_3 .8.5 NIST_SP_800-171_R2_3.8.5 NIST SP 800-171 R2 3.8.5 Media Protection Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. Shared Microsoft is responsible for implementing this requirement. Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. link 2
NIST_SP_800-171_R2_3 .8.6 NIST_SP_800-171_R2_3.8.6 NIST SP 800-171 R2 3.8.6 Media Protection Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. Shared Microsoft is responsible for implementing this requirement. This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives). See [NIST CRYPTO]. [SP 800-111] provides guidance on storage encryption technologies for end user devices. link 2
NIST_SP_800-171_R2_3 .8.7 NIST_SP_800-171_R2_3.8.7 NIST SP 800-171 R2 3.8.7 Media Protection Control the use of removable media on system components. Shared Microsoft is responsible for implementing this requirement. In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices. link 4
NIST_SP_800-171_R2_3 .8.8 NIST_SP_800-171_R2_3.8.8 NIST SP 800-171 R2 3.8.8 Media Protection Prohibit the use of portable storage devices when such devices have no identifiable owner. Shared Microsoft is responsible for implementing this requirement. Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code). link 4
NIST_SP_800-171_R2_3 .8.9 NIST_SP_800-171_R2_3.8.9 NIST SP 800-171 R2 3.8.9 Media Protection Protect the confidentiality of backup CUI at storage locations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. link 8
NIST_SP_800-53_R4 AC-20(2) NIST_SP_800-53_R4_AC-20(2) NIST SP 800-53 Rev. 4 AC-20 (2) Access Control Portable Storage Devices Shared n/a The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. link 3
NIST_SP_800-53_R4 CP-9 NIST_SP_800-53_R4_CP-9 NIST SP 800-53 Rev. 4 CP-9 Contingency Planning Information System Backup Shared n/a The organization: a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. References: NIST Special Publication 800-34. link 9
NIST_SP_800-53_R4 MA-2 NIST_SP_800-53_R4_MA-2 NIST SP 800-53 Rev. 4 MA-2 Maintenance Controlled Maintenance Shared n/a The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. References: None. link 4
NIST_SP_800-53_R4 MA-3(3) NIST_SP_800-53_R4_MA-3(3) NIST SP 800-53 Rev. 4 MA-3 (3) Maintenance Prevent Unauthorized Removal Shared n/a The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. link 4
NIST_SP_800-53_R4 MA-5(1) NIST_SP_800-53_R4_MA-5(1) NIST SP 800-53 Rev. 4 MA-5 (1) Maintenance Individuals Without Appropriate Access Shared n/a The organization: (a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. Supplemental Guidance: This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. link 2
NIST_SP_800-53_R4 MP-2 NIST_SP_800-53_R4_MP-2 NIST SP 800-53 Rev. 4 MP-2 Media Protection Media Access Shared n/a The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. link 1
NIST_SP_800-53_R4 MP-3 NIST_SP_800-53_R4_MP-3 NIST SP 800-53 Rev. 4 MP-3 Media Protection Media Marking Shared n/a The organization: a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. Supplemental Guidance: The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. Control Enhancements: None. References: FIPS Publication 199. link 1
NIST_SP_800-53_R4 MP-4 NIST_SP_800-53_R4_MP-4 NIST SP 800-53 Rev. 4 MP-4 Media Protection Media Storage Shared n/a The organization: a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. References: FIPS Publication 199; NIST Special Publications 800-56, 800-57, 800-111. link 2
NIST_SP_800-53_R4 MP-5 NIST_SP_800-53_R4_MP-5 NIST SP 800-53 Rev. 4 MP-5 Media Protection Media Transport Shared n/a The organization: a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; b. Maintains accountability for information system media during transport outside of controlled areas; c. Documents activities associated with the transport of information system media; and d. Restricts the activities associated with the transport of information system media to authorized personnel. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
NIST_SP_800-53_R4 MP-5(4) NIST_SP_800-53_R4_MP-5(4) NIST SP 800-53 Rev. 4 MP-5 (4) Media Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Supplemental Guidance: This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
NIST_SP_800-53_R4 MP-6 NIST_SP_800-53_R4_MP-6 NIST SP 800-53 Rev. 4 MP-6 Media Protection Media Sanitization Shared n/a The organization: a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization- defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. Supplemental Guidance: This control applies to all information system media, both digital and non- digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. References: FIPS Publication 199; NIST Special Publications 800-60, 800-88; Web: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml. link 2
NIST_SP_800-53_R4 MP-6(1) NIST_SP_800-53_R4_MP-6(1) NIST SP 800-53 Rev. 4 MP-6 (1) Media Protection Review / Approve / Track / Document / Verify Shared n/a The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. Supplemental Guidance: Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. link 2
NIST_SP_800-53_R4 MP-6(2) NIST_SP_800-53_R4_MP-6(2) NIST SP 800-53 Rev. 4 MP-6 (2) Media Protection Equipment Testing Shared n/a The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. Supplemental Guidance: Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers). link 2
NIST_SP_800-53_R4 MP-7 NIST_SP_800-53_R4_MP-7 NIST SP 800-53 Rev. 4 MP-7 Media Protection Media Use Shared n/a The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. References: None. link 4
NIST_SP_800-53_R4 MP-7(1) NIST_SP_800-53_R4_MP-7(1) NIST SP 800-53 Rev. 4 MP-7 (1) Media Protection Prohibit Use Without Owner Shared n/a The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. link 4
NIST_SP_800-53_R4 SC-28(1) NIST_SP_800-53_R4_SC-28(1) NIST SP 800-53 Rev. 4 SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 17
NIST_SP_800-53_R5 AC-20(2) NIST_SP_800-53_R5_AC-20(2) NIST SP 800-53 Rev. 5 AC-20 (2) Access Control Portable Storage Devices ??? Restricted Use Shared n/a Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. link 3
NIST_SP_800-53_R5 CP-9 NIST_SP_800-53_R5_CP-9 NIST SP 800-53 Rev. 5 CP-9 Contingency Planning System Backup Shared n/a a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information. link 9
NIST_SP_800-53_R5 MA-2 NIST_SP_800-53_R5_MA-2 NIST SP 800-53 Rev. 5 MA-2 Maintenance Controlled Maintenance Shared n/a a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information]; e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and f. Include the following information in organizational maintenance records: [Assignment: organization-defined information]. link 4
NIST_SP_800-53_R5 MA-3(3) NIST_SP_800-53_R5_MA-3(3) NIST SP 800-53 Rev. 5 MA-3 (3) Maintenance Prevent Unauthorized Removal Shared n/a Prevent the removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. link 4
NIST_SP_800-53_R5 MA-5(1) NIST_SP_800-53_R5_MA-5(1) NIST SP 800-53 Rev. 5 MA-5 (1) Maintenance Individuals Without Appropriate Access Shared n/a (a) Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b) Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. link 2
NIST_SP_800-53_R5 MP-2 NIST_SP_800-53_R5_MP-2 NIST SP 800-53 Rev. 5 MP-2 Media Protection Media Access Shared n/a Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. link 1
NIST_SP_800-53_R5 MP-3 NIST_SP_800-53_R5_MP-3 NIST SP 800-53 Rev. 5 MP-3 Media Protection Media Marking Shared n/a a. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempt [Assignment: organization-defined types of system media] from marking if the media remain within [Assignment: organization-defined controlled areas]. link 1
NIST_SP_800-53_R5 MP-4 NIST_SP_800-53_R5_MP-4 NIST SP 800-53 Rev. 5 MP-4 Media Protection Media Storage Shared n/a a. Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and b. Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures. link 2
NIST_SP_800-53_R5 MP-5 NIST_SP_800-53_R5_MP-5 NIST SP 800-53 Rev. 5 MP-5 Media Protection Media Transport Shared n/a a. Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; b. Maintain accountability for system media during transport outside of controlled areas; c. Document activities associated with the transport of system media; and d. Restrict the activities associated with the transport of system media to authorized personnel. link 2
NIST_SP_800-53_R5 MP-6 NIST_SP_800-53_R5_MP-6 NIST SP 800-53 Rev. 5 MP-6 Media Protection Media Sanitization Shared n/a a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. link 2
NIST_SP_800-53_R5 MP-6(1) NIST_SP_800-53_R5_MP-6(1) NIST SP 800-53 Rev. 5 MP-6 (1) Media Protection Review, Approve, Track, Document, and Verify Shared n/a Review, approve, track, document, and verify media sanitization and disposal actions. link 2
NIST_SP_800-53_R5 MP-6(2) NIST_SP_800-53_R5_MP-6(2) NIST SP 800-53 Rev. 5 MP-6 (2) Media Protection Equipment Testing Shared n/a Test sanitization equipment and procedures [Assignment: organization-defined frequency] to ensure that the intended sanitization is being achieved. link 2
NIST_SP_800-53_R5 MP-7 NIST_SP_800-53_R5_MP-7 NIST SP 800-53 Rev. 5 MP-7 Media Protection Media Use Shared n/a a. [Selection: Restrict;Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. link 4
NIST_SP_800-53_R5 SC-28(1) NIST_SP_800-53_R5_SC-28(1) NIST SP 800-53 Rev. 5 SC-28 (1) System and Communications Protection Cryptographic Protection Shared n/a Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. link 17
PCI_DSS_v4.0 3.5.1 PCI_DSS_v4.0_3.5.1 PCI DSS v4.0 3.5.1 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a PAN is rendered unreadable anywhere it is stored by using any of the following approaches: • One-way hashes based on strong cryptography of the entire PAN. • Truncation (hashing cannot be used to replace the truncated segment of PAN). – If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN. • Index tokens. • Strong cryptography with associated keymanagement processes and procedures. link 12
PCI_DSS_v4.0 3.5.1.1 PCI_DSS_v4.0_3.5.1.1 PCI DSS v4.0 3.5.1.1 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7. link 4
PCI_DSS_v4.0 3.5.1.2 PCI_DSS_v4.0_3.5.1.2 PCI DSS v4.0 3.5.1.2 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows: • On removable electronic media, OR • If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1. link 4
PCI_DSS_v4.0 3.5.1.3 PCI_DSS_v4.0_3.5.1.3 PCI DSS v4.0 3.5.1.3 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows: • Logical access is managed separately and independently of native operating system authentication and access control mechanisms. • Decryption keys are not associated with user accounts. link 4
PCI_DSS_v4.0 9.4.1 PCI_DSS_v4.0_9.4.1 PCI DSS v4.0 9.4.1 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Offline media backups with cardholder data are stored in a secure location. link 1
PCI_DSS_v4.0 9.4.1.1 PCI_DSS_v4.0_9.4.1.1 PCI DSS v4.0 9.4.1.1 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months. link 1
PCI_DSS_v4.0 9.4.2 PCI_DSS_v4.0_9.4.2 PCI DSS v4.0 9.4.2 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a All media with cardholder data is classified in accordance with the sensitivity of the data. link 1
PCI_DSS_v4.0 9.4.3 PCI_DSS_v4.0_9.4.3 PCI DSS v4.0 9.4.3 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Media with cardholder data sent outside the facility is secured as follows: • Media sent outside the facility is logged. • Media is sent by secured courier or other delivery method that can be accurately tracked. • Offsite tracking logs include details about media location. link 2
PCI_DSS_v4.0 9.4.4 PCI_DSS_v4.0_9.4.4 PCI DSS v4.0 9.4.4 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). link 2
PCI_DSS_v4.0 9.4.6 PCI_DSS_v4.0_9.4.6 PCI DSS v4.0 9.4.6 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows: • Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed. • Materials are stored in secure storage containers prior to destruction. link 4
PCI_DSS_v4.0 9.4.7 PCI_DSS_v4.0_9.4.7 PCI DSS v4.0 9.4.7 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of the following: • The electronic media is destroyed. • The cardholder data is rendered unrecoverable so that it cannot be reconstructed. link 4
SOC_2 CC6.5 SOC_2_CC6.5 SOC 2 Type 2 CC6.5 Logical and Physical Access Controls Logical and physical protections over physical assets Shared The customer is responsible for implementing this recommendation. • Identifies Data and Software for Disposal — Procedures are in place to identify data and software stored on equipment to be disposed and to render such data and software unreadable. • Removes Data and Software From Entity Control — Procedures are in place to remove data and software stored on equipment to be removed from the physical control of the entity and to render such data and software unreadable 2
SOC_2 CC6.7 SOC_2_CC6.7 SOC 2 Type 2 CC6.7 Logical and Physical Access Controls Restrict the movement of information to authorized users Shared The customer is responsible for implementing this recommendation. • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets 30
SOC_2 PI1.5 SOC_2_PI1.5 SOC 2 Type 2 PI1.5 Additional Criteria For Processing Integrity Store inputs and outputs completely, accurately, and timely Shared The customer is responsible for implementing this recommendation. • Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications. • Archives and Protects System Records — System records are archived and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. • Stores Data Completely and Accurately — Procedures are in place to provide for the complete, accurate, and timely storage of data. • Creates and Maintains Records of System Storage Activities — Records of system storage activities are created and maintained completely and accurately in a timely manner 10
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
SWIFT_CSCF_v2022 2.4 SWIFT_CSCF_v2022_2.4 SWIFT CSCF v2022 2.4 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. Shared n/a Confidentiality, integrity, and authentication mechanisms (at system, transport or message level) are implemented to protect data flows between SWIFT infrastructure components and the back-office first hops they connect to. link 7
SWIFT_CSCF_v2022 2.5 SWIFT_CSCF_v2022_2.5 SWIFT CSCF v2022 2.5 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. Shared n/a Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. link 7
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add e435f7e3-0dd9-58c9-451f-9b44b96c0232
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON