AzPolicyAdvertizer

last sync: 2025-Jun-13 17:23:19 UTC

App Service apps should use the latest TLS version

Azure BuiltIn Policy definition

Source Azure Portal
Display name App Service apps should use the latest TLS version
Id f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b
Version 2.1.0
Details on versioning
Versioning Versions supported for Versioning: 2
2.1.0
2.0.1
Built-in Versioning [Preview]
Category App Service
Microsoft Learn
Description Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '2.*.*'
Assessment(s) Assessments count: 1
Assessment Id: 2a54c352-7ca4-4bae-ad46-47ecd9595bd2
DisplayName: TLS should be updated to the latest version for web apps
Description: Upgrading to the latest version of TLS (Transport Layer Security) for web apps is a critical security measure.
The latest version of TLS provides enhanced encryption and security features, protecting data during transmission.
If not updated, the web app could be susceptible to various security threats, including data breaches and man-in-the-middle attacks.
Therefore, it is strongly advised to keep TLS updated to the latest version to ensure secure data transmission.

Remediation description: To update your web app to the latest TLS version:
1. Navigate to Azure App Service 2. Select TLS/SSL settings 3. Under the Protocol Settings section, choose the latest Minimum TLS Version.
For more information on managing TLS/SSL settings, visit here: https://aka.ms/add-tls
Categories: AppServices
Severity: High
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Web/sites/config/minTlsVersion Microsoft.Web sites/config properties.minTlsVersion True False
Rule resource types IF (1)
Compliance
The following 51 compliance controls are associated with this Policy definition 'App Service apps should use the latest TLS version' (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1139 AU_ISM_1139 AU ISM 1139 Guidelines for Cryptography - Transport Layer Security Using Transport Layer Security - 1139 n/a Only the latest version of TLS is used. link 6
Azure_Security_Benchmark_v1.0 4.4 Azure_Security_Benchmark_v1.0_4.4 Azure Security Benchmark 4.4 Data Protection Encrypt all sensitive information in transit Shared Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater. Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit n/a link 10
Azure_Security_Benchmark_v2.0 DP-4 Azure_Security_Benchmark_v2.0_DP-4 Azure Security Benchmark DP-4 Data Protection Encrypt sensitive information in transit Shared To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled. By default, Azure provides encryption for data in transit between Azure data centers. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit n/a link 12
Azure_Security_Benchmark_v3.0 DP-3 Azure_Security_Benchmark_v3.0_DP-3 Microsoft cloud security benchmark DP-3 Data Protection Encrypt sensitive data in transit Shared **Security Principle:** Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. **Azure Guidance:** Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. **Implementation and additional context:** Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account n/a link 15
Azure_Security_Benchmark_v3.0 NS-8 Azure_Security_Benchmark_v3.0_NS-8 Microsoft cloud security benchmark NS-8 Network Security Detect and disable insecure services and protocols Shared **Security Principle:** Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible. **Azure Guidance:** Use Azure Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. Disable insecure services and protocols that do not meet the appropriate security standard. Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security group, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface. **Implementation and additional context:** Azure Sentinel insecure protocols workbook: https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks n/a link 2
CIS_Azure_1.1.0 9.3 CIS_Azure_1.1.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure web app is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_1.3.0 9.3 CIS_Azure_1.3.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure web app is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_1.4.0 9.3 CIS_Azure_1.4.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure Web App is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_2.0.0 9.3 CIS_Azure_2.0.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 Ensure Web App is using the latest version of TLS encryption Shared n/a The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections. link 5
CIS_Azure_Foundations_v2.1.0 9.3 CIS_Azure_Foundations_v2.1.0_9.3 CIS Azure Foundations v2.1.0 9.3 AppService Ensure Web App is using the latest version of TLS encryption Shared n/a Ensure Web App is using the latest version of TLS encryption. 2
CIS_Controls_v8.1 3.10 CIS_Controls_v8.1_3.10 404 not found n/a n/a 8
CIS_Controls_v8.1 4.1 CIS_Controls_v8.1_4.1 CIS Controls v8.1 4.1 Secure Configuration of Enterprise Assets and Software Establish and maintain a secure configuration process. Shared 1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure data integrity and safety of enterprise assets. 44
CMMC_2.0_L2 SC.L2-3.13.8 CMMC_2.0_L2_SC.L2-3.13.8 404 not found n/a n/a 16
CMMC_L3 IA.3.084 CMMC_L3_IA.3.084 CMMC L3 IA.3.084 Identification and Authentication Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Shared Microsoft and the customer share responsibilities for implementing this requirement. Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. link 5
CMMC_L3 SC.1.175 CMMC_L3_SC.1.175 CMMC L3 SC.1.175 System and Communications Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. link 30
CMMC_L3 SC.3.185 CMMC_L3_SC.3.185 CMMC L3 SC.3.185 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. link 10
CMMC_L3 SC.3.190 CMMC_L3_SC.3.190 CMMC L3 SC.3.190 System and Communications Protection Protect the authenticity of communications sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. link 8
CMMC_L3 SI.1.210 CMMC_L3_SI.1.210 CMMC L3 SI.1.210 System and Information Integrity Identify, report, and correct information and information system flaws in a timely manner. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. link 7
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
FedRAMP_High_R4 SC-8 FedRAMP_High_R4_SC-8 FedRAMP High SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
FedRAMP_High_R4 SC-8(1) FedRAMP_High_R4_SC-8(1) FedRAMP High SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
FedRAMP_Moderate_R4 SC-8 FedRAMP_Moderate_R4_SC-8 FedRAMP Moderate SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
FedRAMP_Moderate_R4 SC-8(1) FedRAMP_Moderate_R4_SC-8(1) FedRAMP Moderate SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
hipaa 0809.01n2Organizational.1234-01.n hipaa-0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 08 Network Protection 0809.01n2Organizational.1234-01.n 01.04 Network Access Control Shared n/a Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. 17
hipaa 0810.01n2Organizational.5-01.n hipaa-0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 08 Network Protection 0810.01n2Organizational.5-01.n 01.04 Network Access Control Shared n/a Transmitted information is secured and, at a minimum, encrypted over open, public networks. 16
hipaa 0811.01n2Organizational.6-01.n hipaa-0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 08 Network Protection 0811.01n2Organizational.6-01.n 01.04 Network Access Control Shared n/a Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. 23
hipaa 0812.01n2Organizational.8-01.n hipaa-0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 08 Network Protection 0812.01n2Organizational.8-01.n 01.04 Network Access Control Shared n/a Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. 12
hipaa 0814.01n1Organizational.12-01.n hipaa-0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 08 Network Protection 0814.01n1Organizational.12-01.n 01.04 Network Access Control Shared n/a The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. 11
hipaa 0949.09y2Organizational.5-09.y hipaa-0949.09y2Organizational.5-09.y 0949.09y2Organizational.5-09.y 09 Transmission Protection 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services Shared n/a The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. 6
New_Zealand_ISM 17.4.16.C.01 New_Zealand_ISM_17.4.16.C.01 New_Zealand_ISM_17.4.16.C.01 17. Cryptography 17.4.16.C.01 Using TLS n/a Agencies SHOULD use the current version of TLS (version 1.3). 5
NIST_SP_800-171_R2_3 .13.8 NIST_SP_800-171_R2_3.13.8 NIST SP 800-171 R2 3.13.8 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. link 16
NIST_SP_800-53_R4 SC-8 NIST_SP_800-53_R4_SC-8 NIST SP 800-53 Rev. 4 SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
NIST_SP_800-53_R4 SC-8(1) NIST_SP_800-53_R4_SC-8(1) NIST SP 800-53 Rev. 4 SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
NIST_SP_800-53_R5 SC-8 NIST_SP_800-53_R5_SC-8 NIST SP 800-53 Rev. 5 SC-8 System and Communications Protection Transmission Confidentiality and Integrity Shared n/a Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. link 15
NIST_SP_800-53_R5 SC-8(1) NIST_SP_800-53_R5_SC-8(1) NIST SP 800-53 Rev. 5 SC-8 (1) System and Communications Protection Cryptographic Protection Shared n/a Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission. link 14
NZ_ISM_v3.5 CR-8 NZ_ISM_v3.5_CR-8 NZISM Security Benchmark CR-8 Cryptography 17.4.16 Using TLS Customer n/a Whilst version 1.0 of SSL was never released, version 2.0 had significant security flaws leading to the development of SSL 3.0. SSL has since been superseded by TLS with the latest version being TLS 1.3 which was released in August 2018. SSL is no longer an approved cryptographic protocol link 3
NZISM_Security_Benchmark_v1.1 CR-7 NZISM_Security_Benchmark_v1.1_CR-7 NZISM Security Benchmark CR-7 Cryptography 17.4.16 Using TLS Customer Agencies SHOULD use the current version of TLS. Whilst version 1.0 of SSL was never released, version 2.0 had significant security flaws leading to the development of SSL 3.0. SSL has since been superseded by TLS with the latest version being TLS 1.3 which was released in August 2018. SSL is no longer an approved cryptographic protocol link 5
RBI_CSF_Banks_v2016 10.1 RBI_CSF_Banks_v2016_10.1 Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 n/a Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc 15
RBI_CSF_Banks_v2016 10.2 RBI_CSF_Banks_v2016_10.2 Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.2 n/a Document and implement emailserver specific controls 15
RBI_CSF_Banks_v2016 13.1 RBI_CSF_Banks_v2016_13.1 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 n/a Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise. 21
RBI_CSF_Banks_v2016 13.4 RBI_CSF_Banks_v2016_13.4 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.4 n/a Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway 41
RBI_ITF_NBFC_v2017 3.1.h RBI_ITF_NBFC_v2017_3.1.h RBI IT Framework 3.1.h Information and Cyber Security Public Key Infrastructure (PKI)-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. link 31
RMiT_v1.0 10.68 RMiT_v1.0_10.68 RMiT 10.68 Security of Digital Services Security of Digital Services - 10.68 Shared n/a A financial institution must implement additional controls to authenticate devices and users, authorise transactions and support non-repudiation and accountability for high-risk transactions or transactions above RM10,000. These measures must include, at a minimum, the following: (a) ensure transactions are performed over secured channels such as the latest version of Transport Layer Security (TLS); (b) both client and host application systems must encrypt all confidential information prior to transmission over the network; (c) adopt MFA for transactions; (d) if OTP is used as a second factor, it must be dynamic and time-bound; (e) request users to verify details of the transaction prior to execution; (f) ensure secure user and session handling management; (g) be able to capture the location of origin and destination of each transaction; (h) implement strong mutual authentication between the users' end-point devices and financial institutions' servers, such as the use of the latest version of Extended Validation SSL certificate (EV SSL); and (i) provide timely notification to customers that is sufficiently descriptive of the nature of the transaction. link 2
SWIFT_CSCF_v2021 2.1 SWIFT_CSCF_v2021_2.1 SWIFT CSCF v2021 2.1 Reduce Attack Surface and Vulnerabilities Internal Data Flow Security n/a Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related applications. link 14
SWIFT_CSCF_v2021 2.6 SWIFT_CSCF_v2021_2.6 SWIFT CSCF v2021 2.6 Reduce Attack Surface and Vulnerabilities Operator Session Confidentiality and Integrity n/a Protect the confidentiality and integrity of interactive operator sessions connecting to the local or the remote (operated by a service provider) SWIFT-related infrastructure or applications. link 8
U.05.1 - Cryptographic measures U.05.1 - Cryptographic measures 404 not found n/a n/a 18
U.11.1 - Policy U.11.1 - Policy 404 not found n/a n/a 17
U.11.2 - Cryptographic measures U.11.2 - Cryptographic measures 404 not found n/a n/a 20
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-EncryptTransit_20240509 Encryption Deprecated ALZ
[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-EncryptTransit Encryption Deprecated ALZ
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn unknown
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
CIS Azure Foundations v2.1.0 fe7782e4-6ff3-4e39-8d8a-64b6f7b82c85 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn true
Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-EncryptTransit_20241211 Encryption GA ALZ
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-10-25 17:51:35 change Minor (2.0.1 > 2.1.0)
2022-10-07 16:34:28 change Patch (2.0.0 > 2.0.1)
2022-07-01 16:32:34 change Major (1.0.0 > 2.0.0)
2019-10-29 23:04:36 add f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC