last sync: 2024-Oct-10 19:12:06 UTC

Require developer to identify SDLC ports, protocols, and services | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Require developer to identify SDLC ports, protocols, and services
Id f6da5cca-5795-60ff-49e1-4972567815fe
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1578 - Require developer to identify SDLC ports, protocols, and services
Additional metadata Name/Id: CMA_C1578 / CMA_C1578
Category: Documentation
Title: Require developer to identify SDLC ports, protocols, and services
Ownership: Customer
Description: The customer is responsible for requiring the developer of customer-deployed resource(s) to identify ports, protocols, and services intended for use early in the SDLC. Note: Microsoft Azure hosts the customer-deployed system. The customer can find a description of the security controls employed by Azure below.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Require developer to identify SDLC ports, protocols, and services' (f6da5cca-5795-60ff-49e1-4972567815fe)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-4(9) FedRAMP_High_R4_SA-4(9) FedRAMP High SA-4 (9) System And Services Acquisition Functions / Ports / Protocols / Services In Use Shared n/a The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. Supplemental Guidance: The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources. Related controls: CM-7, SA-9. link 1
FedRAMP_Moderate_R4 SA-4(9) FedRAMP_Moderate_R4_SA-4(9) FedRAMP Moderate SA-4 (9) System And Services Acquisition Functions / Ports / Protocols / Services In Use Shared n/a The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. Supplemental Guidance: The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources. Related controls: CM-7, SA-9. link 1
hipaa 0887.09n2Organizational.5-09.n hipaa-0887.09n2Organizational.5-09.n 0887.09n2Organizational.5-09.n 08 Network Protection 0887.09n2Organizational.5-09.n 09.06 Network Security Management Shared n/a The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. 3
hipaa 0949.09y2Organizational.5-09.y hipaa-0949.09y2Organizational.5-09.y 0949.09y2Organizational.5-09.y 09 Transmission Protection 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services Shared n/a The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. 6
hipaa 1786.10a1Organizational.9-10.a hipaa-1786.10a1Organizational.9-10.a 1786.10a1Organizational.9-10.a 17 Risk Management 1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization requires developers of information systems, components, and developers or providers of services to identify (document) early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. 4
NIST_SP_800-53_R4 SA-4(9) NIST_SP_800-53_R4_SA-4(9) NIST SP 800-53 Rev. 4 SA-4 (9) System And Services Acquisition Functions / Ports / Protocols / Services In Use Shared n/a The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. Supplemental Guidance: The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources. Related controls: CM-7, SA-9. link 1
NIST_SP_800-53_R5 SA-4(9) NIST_SP_800-53_R5_SA-4(9) NIST SP 800-53 Rev. 5 SA-4 (9) System and Services Acquisition Functions, Ports, Protocols, and Services in Use Shared n/a Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use. link 1
PCI_DSS_v4.0 1.2.5 PCI_DSS_v4.0_1.2.5 PCI DSS v4.0 1.2.5 Requirement 01: Install and Maintain Network Security Controls Network security controls (NSCs) are configured and maintained Shared n/a All services, protocols, and ports allowed are identified, approved, and have a defined business need. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add f6da5cca-5795-60ff-49e1-4972567815fe
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC