last sync: 2024-Feb-21 20:03:25 UTC

Ensure there are no unencrypted static authenticators | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Ensure there are no unencrypted static authenticators
Id eda0cbb7-6043-05bf-645b-67411f1a59b3
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1340 - Ensure there are no unencrypted static authenticators
Additional metadata Name/Id: CMA_C1340 / CMA_C1340
Category: Operational
Title: Ensure there are no unencrypted static authenticators
Ownership: Customer
Description: The customer is responsible for ensuring there are no unencrypted static authenticators within customer-deployed resources.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 10 compliance controls are associated with this Policy definition 'Ensure there are no unencrypted static authenticators' (eda0cbb7-6043-05bf-645b-67411f1a59b3)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IA-5(7) FedRAMP_High_R4_IA-5(7) FedRAMP High IA-5 (7) Identification And Authentication No Embedded Unencrypted Static Authenticators Shared n/a The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. Supplemental Guidance: Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). link 1
FedRAMP_Moderate_R4 IA-5(7) FedRAMP_Moderate_R4_IA-5(7) FedRAMP Moderate IA-5 (7) Identification And Authentication No Embedded Unencrypted Static Authenticators Shared n/a The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. Supplemental Guidance: Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). link 1
hipaa 0306.09q1Organizational.3-09.q hipaa-0306.09q1Organizational.3-09.q 0306.09q1Organizational.3-09.q 03 Portable Media Security 0306.09q1Organizational.3-09.q 09.07 Media Handling Shared n/a The status and location of unencrypted covered information is maintained and monitored. 6
hipaa 1006.01d2System.1-01.d hipaa-1006.01d2System.1-01.d 1006.01d2System.1-01.d 10 Password Management 1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems Shared n/a Passwords are not included in automated log-on processes. 5
ISO27001-2013 A.12.1.4 ISO27001-2013_A.12.1.4 ISO 27001:2013 A.12.1.4 Operations Security Separation of development, testing and operational environments Shared n/a Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. link 10
ISO27001-2013 A.14.2.8 ISO27001-2013_A.14.2.8 ISO 27001:2013 A.14.2.8 System Acquisition, Development And Maintenance System security testing Shared n/a Testing of security functionality shall be carried out during development. link 8
ISO27001-2013 A.14.2.9 ISO27001-2013_A.14.2.9 ISO 27001:2013 A.14.2.9 System Acquisition, Development And Maintenance System acceptance testing Shared n/a Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. link 14
ISO27001-2013 A.14.3.1 ISO27001-2013_A.14.3.1 ISO 27001:2013 A.14.3.1 System Acquisition, Development And Maintenance Protection of test data Shared n/a Test data shall be selected carefully, protected and controlled. link 11
NIST_SP_800-53_R4 IA-5(7) NIST_SP_800-53_R4_IA-5(7) NIST SP 800-53 Rev. 4 IA-5 (7) Identification And Authentication No Embedded Unencrypted Static Authenticators Shared n/a The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. Supplemental Guidance: Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). link 1
NIST_SP_800-53_R5 IA-5(7) NIST_SP_800-53_R5_IA-5(7) NIST SP 800-53 Rev. 5 IA-5 (7) Identification and Authentication No Embedded Unencrypted Static Authenticators Shared n/a Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage. link 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add eda0cbb7-6043-05bf-645b-67411f1a59b3
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC