Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers

Article
09/19/2024

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Arc-enabled servers. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Guidelines for Personnel Security - Access to systems and their resources	415	User identification - 415	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Guidelines for System Hardening - Authentication hardening	421	Single-factor authentication - 421	Windows machines should meet requirements for 'Security Settings - Account Policies'	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	445	Privileged access to systems - 445	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Guidelines for Cryptography - Transport Layer Security	1139	Using Transport Layer Security - 1139	Windows machines should be configured to use secure communication protocols	4.1.1
Guidelines for Database Systems - Database servers	1277	Communications between database servers and web servers - 1277	Windows machines should be configured to use secure communication protocols	4.1.1
Guidelines for Personnel Security - Access to systems and their resources	1503	Standard access to systems - 1503	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Guidelines for Personnel Security - Access to systems and their resources	1507	Privileged access to systems - 1507	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Guidelines for Personnel Security - Access to systems and their resources	1508	Privileged access to systems - 1508	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Guidelines for System Hardening - Authentication hardening	1546	Authenticating to systems - 1546	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Guidelines for System Hardening - Authentication hardening	1546	Authenticating to systems - 1546	Audit Linux machines that have accounts without passwords	3.1.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC-5	Separation of Duties	Audit Windows machines missing any of specified members in the Administrators group	2.0.0
Access Control	AC-5	Separation of Duties	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Access Control	AC-6	Least Privilege	Audit Windows machines missing any of specified members in the Administrators group	2.0.0
Access Control	AC-6	Least Privilege	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Access Control	AC-17(1)	Remote Access \| Automated Monitoring / Control	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Identification and Authentication	IA-5	Authenticator Management	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification and Authentication	IA-5	Authenticator Management	Audit Linux machines that have accounts without passwords	3.1.0
Identification and Authentication	IA-5(1)	Authenticator Management \| Password-Based Authentication	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Identification and Authentication	IA-5(1)	Authenticator Management \| Password-Based Authentication	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Identification and Authentication	IA-5(1)	Authenticator Management \| Password-Based Authentication	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Identification and Authentication	IA-5(1)	Authenticator Management \| Password-Based Authentication	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identification and Authentication	IA-5(1)	Authenticator Management \| Password-Based Authentication	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
System and Communications Protection	SC-8(1)	Transmission Confidentiality and Integrity \| Cryptographic or Alternate Physical Protection	Windows machines should be configured to use secure communication protocols	4.1.1

CIS Microsoft Azure Foundations Benchmark 2.0.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
2.1	2.1.13	Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'	Machines should be configured to periodically check for missing system updates	3.7.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC.1.001	Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	AC.1.001	Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).	Windows machines should meet requirements for 'Security Options - Network Access'	3.0.0
Access Control	AC.1.001	Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Access Control	AC.1.002	Limit information system access to the types of transactions and functions that authorized users are permitted to execute.	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	AC.1.002	Limit information system access to the types of transactions and functions that authorized users are permitted to execute.	Windows machines should be configured to use secure communication protocols	4.1.1
Access Control	AC.1.002	Limit information system access to the types of transactions and functions that authorized users are permitted to execute.	Windows machines should meet requirements for 'Security Options - Network Access'	3.0.0
Access Control	AC.2.008	Use non-privileged accounts or roles when accessing nonsecurity functions.	Windows machines should meet requirements for 'Security Options - User Account Control'	3.0.0
Access Control	AC.2.008	Use non-privileged accounts or roles when accessing nonsecurity functions.	Windows machines should meet requirements for 'User Rights Assignment'	3.0.0
Access Control	AC.2.013	Monitor and control remote access sessions.	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	AC.2.013	Monitor and control remote access sessions.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Access Control	AC.2.016	Control the flow of CUI in accordance with approved authorizations.	Windows machines should meet requirements for 'Security Options - Network Access'	3.0.0
Access Control	AC.3.017	Separate the duties of individuals to reduce the risk of malevolent activity without collusion.	Audit Windows machines missing any of specified members in the Administrators group	2.0.0
Access Control	AC.3.017	Separate the duties of individuals to reduce the risk of malevolent activity without collusion.	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Access Control	AC.3.018	Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.	Windows machines should meet requirements for 'System Audit Policies - Privilege Use'	3.0.0
Access Control	AC.3.021	Authorize remote execution of privileged commands and remote access to security-relevant information.	Windows machines should meet requirements for 'Security Options - User Account Control'	3.0.0
Access Control	AC.3.021	Authorize remote execution of privileged commands and remote access to security-relevant information.	Windows machines should meet requirements for 'User Rights Assignment'	3.0.0
Configuration Management	CM.2.061	Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Configuration Management	CM.2.062	Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.	Windows machines should meet requirements for 'System Audit Policies - Privilege Use'	3.0.0
Configuration Management	CM.2.063	Control and monitor user-installed software.	Windows machines should meet requirements for 'Security Options - User Account Control'	3.0.0
Configuration Management	CM.2.064	Establish and enforce security configuration settings for information technology products employed in organizational systems.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	Windows machines should meet requirements for 'System Audit Policies - Policy Change'	3.0.0
Identification and Authentication	IA.1.077	Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification and Authentication	IA.1.077	Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.	Audit Linux machines that have accounts without passwords	3.1.0
Identification and Authentication	IA.1.077	Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Identification and Authentication	IA.2.078	Enforce a minimum password complexity and change of characters when new passwords are created.	Audit Linux machines that have accounts without passwords	3.1.0
Identification and Authentication	IA.2.078	Enforce a minimum password complexity and change of characters when new passwords are created.	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identification and Authentication	IA.2.078	Enforce a minimum password complexity and change of characters when new passwords are created.	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Identification and Authentication	IA.2.078	Enforce a minimum password complexity and change of characters when new passwords are created.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Identification and Authentication	IA.2.079	Prohibit password reuse for a specified number of generations.	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Identification and Authentication	IA.2.079	Prohibit password reuse for a specified number of generations.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Identification and Authentication	IA.2.081	Store and transmit only cryptographically-protected passwords.	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Identification and Authentication	IA.2.081	Store and transmit only cryptographically-protected passwords.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Identification and Authentication	IA.3.084	Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.	Windows machines should be configured to use secure communication protocols	4.1.1
System and Communications Protection	SC.1.175	Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.	Windows machines should be configured to use secure communication protocols	4.1.1
System and Communications Protection	SC.1.175	Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.	Windows machines should meet requirements for 'Security Options - Network Access'	3.0.0
System and Communications Protection	SC.1.175	Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
System and Communications Protection	SC.3.177	Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
System and Communications Protection	SC.3.181	Separate user functionality from system management functionality.	Audit Windows machines that have the specified members in the Administrators group	2.0.0
System and Communications Protection	SC.3.183	Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).	Windows machines should meet requirements for 'Security Options - Network Access'	3.0.0
System and Communications Protection	SC.3.183	Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
System and Communications Protection	SC.3.185	Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.	Windows machines should be configured to use secure communication protocols	4.1.1
System and Communications Protection	SC.3.190	Protect the authenticity of communications sessions.	Windows machines should be configured to use secure communication protocols	4.1.1

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC-3	Access Enforcement	Audit Linux machines that have accounts without passwords	3.1.0
Access Control	AC-3	Access Enforcement	Authentication to Linux machines should require SSH keys	3.2.0
Access Control	AC-17	Remote Access	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	AC-17 (1)	Automated Monitoring / Control	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Audit And Accountability	AU-6 (4)	Central Review And Analysis	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-6 (4)	Central Review And Analysis	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12	Audit Generation	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12	Audit Generation	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Configuration Management	CM-6	Configuration Settings	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Configuration Management	CM-6	Configuration Settings	Windows machines should meet requirements of the Azure compute security baseline	2.0.0
Identification And Authentication	IA-5	Authenticator Management	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification And Authentication	IA-5	Authenticator Management	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Identification And Authentication	IA-5	Authenticator Management	Authentication to Linux machines should require SSH keys	3.2.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Risk Assessment	RA-5	Vulnerability Scanning	SQL servers on machines should have vulnerability findings resolved	1.0.0
System And Communications Protection	SC-3	Security Function Isolation	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System And Communications Protection	SC-8	Transmission Confidentiality And Integrity	Windows machines should be configured to use secure communication protocols	4.1.1
System And Communications Protection	SC-8 (1)	Cryptographic Or Alternate Physical Protection	Windows machines should be configured to use secure communication protocols	4.1.1
System And Information Integrity	SI-3	Malicious Code Protection	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System And Information Integrity	SI-3 (1)	Central Management	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System And Information Integrity	SI-4	Information System Monitoring	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
System And Information Integrity	SI-4	Information System Monitoring	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
System And Information Integrity	SI-16	Memory Protection	Windows Defender Exploit Guard should be enabled on your machines	2.0.0

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC-3	Access Enforcement	Audit Linux machines that have accounts without passwords	3.1.0
Access Control	AC-3	Access Enforcement	Authentication to Linux machines should require SSH keys	3.2.0
Access Control	AC-17	Remote Access	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	AC-17 (1)	Automated Monitoring / Control	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Audit And Accountability	AU-12	Audit Generation	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12	Audit Generation	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Configuration Management	CM-6	Configuration Settings	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Configuration Management	CM-6	Configuration Settings	Windows machines should meet requirements of the Azure compute security baseline	2.0.0
Identification And Authentication	IA-5	Authenticator Management	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification And Authentication	IA-5	Authenticator Management	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Identification And Authentication	IA-5	Authenticator Management	Authentication to Linux machines should require SSH keys	3.2.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Risk Assessment	RA-5	Vulnerability Scanning	SQL servers on machines should have vulnerability findings resolved	1.0.0
System And Communications Protection	SC-8	Transmission Confidentiality And Integrity	Windows machines should be configured to use secure communication protocols	4.1.1
System And Communications Protection	SC-8 (1)	Cryptographic Or Alternate Physical Protection	Windows machines should be configured to use secure communication protocols	4.1.1
System And Information Integrity	SI-3	Malicious Code Protection	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System And Information Integrity	SI-3 (1)	Central Management	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System And Information Integrity	SI-4	Information System Monitoring	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
System And Information Integrity	SI-4	Information System Monitoring	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
System And Information Integrity	SI-16	Memory Protection	Windows Defender Exploit Guard should be enabled on your machines	2.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	9.3.1.12	Remote Access (AC-17)	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	9.3.1.5	Separation of Duties (AC-5)	Audit Windows machines missing any of specified members in the Administrators group	2.0.0
Access Control	9.3.1.5	Separation of Duties (AC-5)	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Access Control	9.3.1.6	Least Privilege (AC-6)	Audit Windows machines missing any of specified members in the Administrators group	2.0.0
Access Control	9.3.1.6	Least Privilege (AC-6)	Audit Windows machines that have the specified members in the Administrators group	2.0.0
System and Communications Protection	9.3.16.6	Transmission Confidentiality and Integrity (SC-8)	Windows machines should be configured to use secure communication protocols	4.1.1
Identification and Authentication	9.3.7.5	Authenticator Management (IA-5)	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification and Authentication	9.3.7.5	Authenticator Management (IA-5)	Audit Linux machines that have accounts without passwords	3.1.0
Identification and Authentication	9.3.7.5	Authenticator Management (IA-5)	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Identification and Authentication	9.3.7.5	Authenticator Management (IA-5)	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Identification and Authentication	9.3.7.5	Authenticator Management (IA-5)	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Identification and Authentication	9.3.7.5	Authenticator Management (IA-5)	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identification and Authentication	9.3.7.5	Authenticator Management (IA-5)	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Identification and Authentication	9.3.7.5	Authenticator Management (IA-5)	Audit Windows machines that do not store passwords using reversible encryption	2.0.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Cryptography	10.1.1	Policy on the use of cryptographic controls	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Access Control	9.1.2	Access to networks and network services	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	9.1.2	Access to networks and network services	Audit Linux machines that have accounts without passwords	3.1.0
Access Control	9.2.4	Management of secret authentication information of users	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Access Control	9.4.3	Password management system	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Access Control	9.4.3	Password management system	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Access Control	9.4.3	Password management system	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Access Control	9.4.3	Password management system	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Access Control	9.4.3	Password management system	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0

Microsoft cloud security benchmark

The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Identity Management	IM-6	Use strong authentication controls	Authentication to Linux machines should require SSH keys	3.2.0
Data Protection	DP-3	Encrypt sensitive data in transit	Windows machines should be configured to use secure communication protocols	4.1.1
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
Logging and Threat Detection	LT-5	Centralize security log management and analysis	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Logging and Threat Detection	LT-5	Centralize security log management and analysis	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Posture and Vulnerability Management	PV-4	Audit and enforce secure configurations for compute resources	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Posture and Vulnerability Management	PV-4	Audit and enforce secure configurations for compute resources	Windows machines should meet requirements of the Azure compute security baseline	2.0.0
Posture and Vulnerability Management	PV-6	Rapidly and automatically remediate vulnerabilities	Machines should be configured to periodically check for missing system updates	3.7.0
Posture and Vulnerability Management	PV-6	Rapidly and automatically remediate vulnerabilities	SQL servers on machines should have vulnerability findings resolved	1.0.0
Posture and Vulnerability Management	PV-6	Rapidly and automatically remediate vulnerabilities	System updates should be installed on your machines (powered by Update Center)	1.0.1
Endpoint Security	ES-2	Use modern anti-malware software	Windows Defender Exploit Guard should be enabled on your machines	2.0.0

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	3.1.1	Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	3.1.1	Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).	Audit Linux machines that have accounts without passwords	3.1.0
Access Control	3.1.1	Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).	Authentication to Linux machines should require SSH keys	3.2.0
Access Control	3.1.12	Monitor and control remote access sessions.	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	3.1.4	Separate the duties of individuals to reduce the risk of malevolent activity without collusion.	Audit Windows machines missing any of specified members in the Administrators group	2.0.0
Access Control	3.1.4	Separate the duties of individuals to reduce the risk of malevolent activity without collusion.	Audit Windows machines that have the specified members in the Administrators group	2.0.0
Risk Assessment	3.11.2	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.	SQL servers on machines should have vulnerability findings resolved	1.0.0
Risk Assessment	3.11.3	Remediate vulnerabilities in accordance with risk assessments.	SQL servers on machines should have vulnerability findings resolved	1.0.0
System and Communications Protection	3.13.8	Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.	Windows machines should be configured to use secure communication protocols	4.1.1
System and Information Integrity	3.14.1	Identify, report, and correct system flaws in a timely manner.	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System and Information Integrity	3.14.2	Provide protection from malicious code at designated locations within organizational systems.	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System and Information Integrity	3.14.4	Update malicious code protection mechanisms when new releases are available.	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System and Information Integrity	3.14.5	Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System and Information Integrity	3.14.6	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
System and Information Integrity	3.14.6	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
System and Information Integrity	3.14.7	Identify unauthorized use of organizational systems.	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
System and Information Integrity	3.14.7	Identify unauthorized use of organizational systems.	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit and Accountability	3.3.1	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit and Accountability	3.3.1	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit and Accountability	3.3.2	Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit and Accountability	3.3.2	Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Configuration Management	3.4.1	Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Configuration Management	3.4.1	Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.	Windows machines should meet requirements of the Azure compute security baseline	2.0.0
Configuration Management	3.4.2	Establish and enforce security configuration settings for information technology products employed in organizational systems.	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Configuration Management	3.4.2	Establish and enforce security configuration settings for information technology products employed in organizational systems.	Windows machines should meet requirements of the Azure compute security baseline	2.0.0
Identification and Authentication	3.5.10	Store and transmit only cryptographically-protected passwords.	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification and Authentication	3.5.10	Store and transmit only cryptographically-protected passwords.	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Identification and Authentication	3.5.10	Store and transmit only cryptographically-protected passwords.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Identification and Authentication	3.5.2	Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification and Authentication	3.5.2	Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Identification and Authentication	3.5.2	Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.	Authentication to Linux machines should require SSH keys	3.2.0
Identification and Authentication	3.5.4	Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.	Windows machines should meet requirements for 'Security Options - Network Security'	3.0.0
Identification and Authentication	3.5.7	Enforce a minimum password complexity and change of characters when new passwords are created.	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identification and Authentication	3.5.7	Enforce a minimum password complexity and change of characters when new passwords are created.	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Identification and Authentication	3.5.8	Prohibit password reuse for a specified number of generations.	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC-3	Access Enforcement	Audit Linux machines that have accounts without passwords	3.1.0
Access Control	AC-3	Access Enforcement	Authentication to Linux machines should require SSH keys	3.2.0
Access Control	AC-17	Remote Access	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	AC-17 (1)	Automated Monitoring / Control	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Audit And Accountability	AU-6 (4)	Central Review And Analysis	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-6 (4)	Central Review And Analysis	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12	Audit Generation	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12	Audit Generation	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Configuration Management	CM-6	Configuration Settings	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Configuration Management	CM-6	Configuration Settings	Windows machines should meet requirements of the Azure compute security baseline	2.0.0
Identification And Authentication	IA-5	Authenticator Management	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification And Authentication	IA-5	Authenticator Management	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Identification And Authentication	IA-5	Authenticator Management	Authentication to Linux machines should require SSH keys	3.2.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Risk Assessment	RA-5	Vulnerability Scanning	SQL servers on machines should have vulnerability findings resolved	1.0.0
System And Communications Protection	SC-3	Security Function Isolation	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System And Communications Protection	SC-8	Transmission Confidentiality And Integrity	Windows machines should be configured to use secure communication protocols	4.1.1
System And Communications Protection	SC-8 (1)	Cryptographic Or Alternate Physical Protection	Windows machines should be configured to use secure communication protocols	4.1.1
System And Information Integrity	SI-3	Malicious Code Protection	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System And Information Integrity	SI-3 (1)	Central Management	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System And Information Integrity	SI-4	Information System Monitoring	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
System And Information Integrity	SI-4	Information System Monitoring	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
System And Information Integrity	SI-16	Memory Protection	Windows Defender Exploit Guard should be enabled on your machines	2.0.0

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC-3	Access Enforcement	Audit Linux machines that have accounts without passwords	3.1.0
Access Control	AC-3	Access Enforcement	Authentication to Linux machines should require SSH keys	3.2.0
Access Control	AC-17	Remote Access	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Access Control	AC-17 (1)	Monitoring and Control	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Audit and Accountability	AU-6 (4)	Central Review and Analysis	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit and Accountability	AU-6 (4)	Central Review and Analysis	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit and Accountability	AU-6 (5)	Integrated Analysis of Audit Records	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit and Accountability	AU-6 (5)	Integrated Analysis of Audit Records	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit and Accountability	AU-12	Audit Record Generation	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit and Accountability	AU-12	Audit Record Generation	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Audit and Accountability	AU-12 (1)	System-wide and Time-correlated Audit Trail	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Audit and Accountability	AU-12 (1)	System-wide and Time-correlated Audit Trail	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Configuration Management	CM-6	Configuration Settings	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Configuration Management	CM-6	Configuration Settings	Windows machines should meet requirements of the Azure compute security baseline	2.0.0
Identification and Authentication	IA-5	Authenticator Management	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification and Authentication	IA-5	Authenticator Management	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Identification and Authentication	IA-5	Authenticator Management	Authentication to Linux machines should require SSH keys	3.2.0
Identification and Authentication	IA-5 (1)	Password-based Authentication	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identification and Authentication	IA-5 (1)	Password-based Authentication	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Identification and Authentication	IA-5 (1)	Password-based Authentication	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Identification and Authentication	IA-5 (1)	Password-based Authentication	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Identification and Authentication	IA-5 (1)	Password-based Authentication	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identification and Authentication	IA-5 (1)	Password-based Authentication	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Identification and Authentication	IA-5 (1)	Password-based Authentication	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Risk Assessment	RA-5	Vulnerability Monitoring and Scanning	SQL servers on machines should have vulnerability findings resolved	1.0.0
System and Communications Protection	SC-3	Security Function Isolation	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System and Communications Protection	SC-8	Transmission Confidentiality and Integrity	Windows machines should be configured to use secure communication protocols	4.1.1
System and Communications Protection	SC-8 (1)	Cryptographic Protection	Windows machines should be configured to use secure communication protocols	4.1.1
System and Information Integrity	SI-3	Malicious Code Protection	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
System and Information Integrity	SI-4	System Monitoring	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
System and Information Integrity	SI-4	System Monitoring	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
System and Information Integrity	SI-16	Memory Protection	Windows Defender Exploit Guard should be enabled on your machines	2.0.0

NL BIO Cloud Theme

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
C.04.3 Technical vulnerability management - Timelines	C.04.3	If the probability of abuse and the expected damage are both high, patches are installed no later than within a week.	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
C.04.6 Technical vulnerability management - Timelines	C.04.6	Technical weaknesses can be remedied by performing patch management in a timely manner.	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
C.04.7 Technical vulnerability management - Evaluated	C.04.7	Evaluations of technical vulnerabilities are recorded and reported.	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
U.05.1 Data protection - Cryptographic measures	U.05.1	Data transport is secured with cryptography where key management is carried out by the CSC itself if possible.	Windows machines should be configured to use secure communication protocols	4.1.1
U.09.3 Malware Protection - Detection, prevention and recovery	U.09.3	The malware protection runs on different environments.	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
U.10.2 Access to IT services and data - Users	U.10.2	Under the responsibility of the CSP, access is granted to administrators.	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
U.10.2 Access to IT services and data - Users	U.10.2	Under the responsibility of the CSP, access is granted to administrators.	Audit Linux machines that have accounts without passwords	3.1.0
U.10.3 Access to IT services and data - Users	U.10.3	Only users with authenticated equipment can access IT services and data.	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
U.10.3 Access to IT services and data - Users	U.10.3	Only users with authenticated equipment can access IT services and data.	Audit Linux machines that have accounts without passwords	3.1.0
U.10.5 Access to IT services and data - Competent	U.10.5	Access to IT services and data is limited by technical measures and has been implemented.	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
U.10.5 Access to IT services and data - Competent	U.10.5	Access to IT services and data is limited by technical measures and has been implemented.	Audit Linux machines that have accounts without passwords	3.1.0
U.11.1 Cryptoservices - Policy	U.11.1	In the cryptography policy, at least the subjects in accordance with BIO have been elaborated.	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
U.11.1 Cryptoservices - Policy	U.11.1	In the cryptography policy, at least the subjects in accordance with BIO have been elaborated.	Windows machines should be configured to use secure communication protocols	4.1.1
U.11.2 Cryptoservices - Cryptographic measures	U.11.2	In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770.	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
U.11.2 Cryptoservices - Cryptographic measures	U.11.2	In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770.	Windows machines should be configured to use secure communication protocols	4.1.1
U.15.1 Logging and monitoring - Events logged	U.15.1	The violation of the policy rules is recorded by the CSP and the CSC.	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
U.15.1 Logging and monitoring - Events logged	U.15.1	The violation of the policy rules is recorded by the CSP and the CSC.	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview

PCI DSS 3.2.1

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Requirement 8	8.2.3	PCI DSS requirement 8.2.3	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Requirement 8	8.2.3	PCI DSS requirement 8.2.3	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Requirement 8	8.2.3	PCI DSS requirement 8.2.3	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Requirement 8	8.2.5	PCI DSS requirement 8.2.5	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Requirement 8	8.2.5	PCI DSS requirement 8.2.5	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Requirement 8	8.2.5	PCI DSS requirement 8.2.5	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0

PCI DSS v4.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Requirement 08: Identify Users and Authenticate Access to System Components	8.3.6	Strong authentication for users and administrators is established and managed	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Requirement 08: Identify Users and Authenticate Access to System Components	8.3.6	Strong authentication for users and administrators is established and managed	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Requirement 08: Identify Users and Authenticate Access to System Components	8.3.6	Strong authentication for users and administrators is established and managed	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0

Reserve Bank of India - IT Framework for NBFC

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
IT Governance	1	IT Governance-1	SQL servers on machines should have vulnerability findings resolved	1.0.0
Information and Cyber Security	3.3	Vulnerability Management-3.3	SQL servers on machines should have vulnerability findings resolved	1.0.0

Reserve Bank of India IT Framework for Banks v2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).

Domain	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Maintenance, Monitoring, And Analysis Of Audit Logs	Maintenance, Monitoring, And Analysis Of Audit Logs-16.2	[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines	1.0.1-preview
Maintenance, Monitoring, And Analysis Of Audit Logs	Maintenance, Monitoring, And Analysis Of Audit Logs-16.2	[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines	1.0.1-preview
Authentication Framework For Customers	Authentication Framework For Customers-9.1	Authentication to Linux machines should require SSH keys	3.2.0
Audit Log Settings	Audit Log Settings-17.1	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Preventing Execution Of Unauthorised Software	Security Update Management-2.3	SQL servers on machines should have vulnerability findings resolved	1.0.0
Secure Configuration	Secure Configuration-5.1	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
Secure Mail And Messaging Systems	Secure Mail And Messaging Systems-10.1	Windows machines should be configured to use secure communication protocols	4.1.1
Audit Log Settings	Audit Log Settings-17.1	Windows machines should meet requirements of the Azure compute security baseline	2.0.0

Spain ENS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for Spain ENS. For more information about this compliance standard, see CCN-STIC 884.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Protective Measures	mp.com.1	Protection of communications	Windows machines should meet requirements for 'Windows Firewall Properties'	3.0.0
Protective Measures	mp.com.3	Protection of communications	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Operational framework	op.acc.1	Access control	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Operational framework	op.acc.2	Access control	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Operational framework	op.acc.2	Access control	Audit Linux machines that have accounts without passwords	3.1.0
Operational framework	op.acc.2	Access control	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Operational framework	op.acc.2	Access control	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Operational framework	op.acc.2	Access control	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Operational framework	op.acc.2	Access control	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Operational framework	op.acc.2	Access control	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Operational framework	op.acc.5	Access control	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Operational framework	op.acc.6	Access control	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Operational framework	op.exp.1	Operation	[Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory	1.0.0-preview
Operational framework	op.exp.1	Operation	[Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory	1.3.0-preview
Operational framework	op.exp.1	Operation	[Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory	1.0.0-preview
Operational framework	op.exp.1	Operation	[Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory	1.0.0-preview
Operational framework	op.exp.10	Operation	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Operational framework	op.exp.2	Operation	Configure machines to receive a vulnerability assessment provider	4.0.0
Operational framework	op.exp.2	Operation	SQL servers on machines should have vulnerability findings resolved	1.0.0
Operational framework	op.exp.3	Operation	Configure machines to receive a vulnerability assessment provider	4.0.0
Operational framework	op.exp.3	Operation	SQL servers on machines should have vulnerability findings resolved	1.0.0
Operational framework	op.exp.4	Operation	Configure machines to receive a vulnerability assessment provider	4.0.0
Operational framework	op.exp.4	Operation	SQL servers on machines should have vulnerability findings resolved	1.0.0
Operational framework	op.exp.5	Operation	Configure machines to receive a vulnerability assessment provider	4.0.0
Operational framework	op.exp.5	Operation	SQL servers on machines should have vulnerability findings resolved	1.0.0
Operational framework	op.exp.6	Operation	Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL	1.2.0
Operational framework	op.exp.6	Operation	Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace	1.5.0
Operational framework	op.exp.6	Operation	Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace	1.7.0
Operational framework	op.exp.6	Operation	Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR	1.1.0
Operational framework	op.exp.6	Operation	Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR	1.3.0
Operational framework	op.exp.6	Operation	Configure machines to receive a vulnerability assessment provider	4.0.0
Operational framework	op.exp.6	Operation	Configure the Microsoft Defender for SQL Log Analytics workspace	1.4.0
Operational framework	op.exp.6	Operation	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
Operational framework	op.exp.6	Operation	Windows machines should configure Windows Defender to update protection signatures within one day	1.0.1
Operational framework	op.exp.6	Operation	Windows machines should enable Windows Defender Real-time protection	1.0.1
Operational framework	op.ext.4	External resources	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Operational framework	op.ext.4	External resources	Audit Linux machines that have accounts without passwords	3.1.0
Operational framework	op.mon.1	System monitoring	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
Operational framework	op.mon.3	System monitoring	Configure machines to receive a vulnerability assessment provider	4.0.0
Operational framework	op.mon.3	System monitoring	SQL servers on machines should have vulnerability findings resolved	1.0.0

SWIFT CSP-CSCF v2021

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Reduce Attack Surface and Vulnerabilities	2.1	Internal Data Flow Security	Authentication to Linux machines should require SSH keys	3.2.0
Reduce Attack Surface and Vulnerabilities	2.1	Internal Data Flow Security	Windows machines should be configured to use secure communication protocols	4.1.1
Reduce Attack Surface and Vulnerabilities	2.2	Security Updates	Audit Windows VMs with a pending reboot	2.0.0
Reduce Attack Surface and Vulnerabilities	2.3	System Hardening	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Reduce Attack Surface and Vulnerabilities	2.3	System Hardening	Audit Windows machines that contain certificates expiring within the specified number of days	2.0.0
Reduce Attack Surface and Vulnerabilities	2.3	System Hardening	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
Reduce Attack Surface and Vulnerabilities	2.4A	Back-office Data Flow Security	Authentication to Linux machines should require SSH keys	3.2.0
Reduce Attack Surface and Vulnerabilities	2.4A	Back-office Data Flow Security	Windows machines should be configured to use secure communication protocols	4.1.1
Reduce Attack Surface and Vulnerabilities	2.6	Operator Session Confidentiality and Integrity	Windows machines should be configured to use secure communication protocols	4.1.1
Prevent Compromise of Credentials	4.1	Password Policy	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Prevent Compromise of Credentials	4.1	Password Policy	Audit Linux machines that have accounts without passwords	3.1.0
Prevent Compromise of Credentials	4.1	Password Policy	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Prevent Compromise of Credentials	4.1	Password Policy	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Prevent Compromise of Credentials	4.1	Password Policy	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Prevent Compromise of Credentials	4.1	Password Policy	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Prevent Compromise of Credentials	4.1	Password Policy	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
Manage Identities and Segregate Privileges	5.4	Physical and Logical Password Storage	Audit Windows machines that do not store passwords using reversible encryption	2.0.0

SWIFT CSP-CSCF v2022

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2022. For more information about this compliance standard, see SWIFT CSP CSCF v2022.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
2. Reduce Attack Surface and Vulnerabilities	2.1	Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components.	Authentication to Linux machines should require SSH keys	3.2.0
2. Reduce Attack Surface and Vulnerabilities	2.1	Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components.	Windows machines should be configured to use secure communication protocols	4.1.1
2. Reduce Attack Surface and Vulnerabilities	2.2	Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.	Audit Windows VMs with a pending reboot	2.0.0
2. Reduce Attack Surface and Vulnerabilities	2.3	Reduce the cyber-attack surface of SWIFT-related components by performing system hardening.	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
2. Reduce Attack Surface and Vulnerabilities	2.3	Reduce the cyber-attack surface of SWIFT-related components by performing system hardening.	Audit Windows machines that contain certificates expiring within the specified number of days	2.0.0
2. Reduce Attack Surface and Vulnerabilities	2.3	Reduce the cyber-attack surface of SWIFT-related components by performing system hardening.	Audit Windows machines that do not store passwords using reversible encryption	2.0.0
2. Reduce Attack Surface and Vulnerabilities	2.4A	Back-office Data Flow Security	Authentication to Linux machines should require SSH keys	3.2.0
2. Reduce Attack Surface and Vulnerabilities	2.4A	Back-office Data Flow Security	Windows machines should be configured to use secure communication protocols	4.1.1
2. Reduce Attack Surface and Vulnerabilities	2.6	Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications	Windows machines should be configured to use secure communication protocols	4.1.1
2. Reduce Attack Surface and Vulnerabilities	2.6	Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications	Windows machines should meet requirements for 'Security Options - Interactive Logon'	3.0.0
4. Prevent Compromise of Credentials	4.1	Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
4. Prevent Compromise of Credentials	4.1	Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.	Audit Linux machines that have accounts without passwords	3.1.0
4. Prevent Compromise of Credentials	4.1	Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
4. Prevent Compromise of Credentials	4.1	Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
4. Prevent Compromise of Credentials	4.1	Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
4. Prevent Compromise of Credentials	4.1	Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
4. Prevent Compromise of Credentials	4.1	Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0
5. Manage Identities and Segregate Privileges	5.1	Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts.	Audit Windows machines that contain certificates expiring within the specified number of days	2.0.0
5. Manage Identities and Segregate Privileges	5.4	Protect physically and logically the repository of recorded passwords.	Audit Windows machines that do not store passwords using reversible encryption	2.0.0

System and Organization Controls (SOC) 2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for System and Organization Controls (SOC) 2. For more information about this compliance standard, see System and Organization Controls (SOC) 2.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Logical and Physical Access Controls	CC6.1	Logical access security software, infrastructure, and architectures	Authentication to Linux machines should require SSH keys	3.2.0
Logical and Physical Access Controls	CC6.1	Logical access security software, infrastructure, and architectures	Windows machines should be configured to use secure communication protocols	4.1.1
Logical and Physical Access Controls	CC6.6	Security measures against threats outside system boundaries	Authentication to Linux machines should require SSH keys	3.2.0
Logical and Physical Access Controls	CC6.6	Security measures against threats outside system boundaries	Windows machines should be configured to use secure communication protocols	4.1.1
Logical and Physical Access Controls	CC6.7	Restrict the movement of information to authorized users	Windows machines should be configured to use secure communication protocols	4.1.1
Logical and Physical Access Controls	CC6.8	Prevent or detect against unauthorized or malicious software	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Logical and Physical Access Controls	CC6.8	Prevent or detect against unauthorized or malicious software	Windows machines should meet requirements of the Azure compute security baseline	2.0.0
System Operations	CC7.2	Monitor system components for anomalous behavior	Windows Defender Exploit Guard should be enabled on your machines	2.0.0
Change Management	CC8.1	Changes to infrastructure, data, and software	Linux machines should meet requirements for the Azure compute security baseline	2.2.0
Change Management	CC8.1	Changes to infrastructure, data, and software	Windows machines should meet requirements of the Azure compute security baseline	2.0.0

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Data in transit protection	1	Data in transit protection	Windows machines should be configured to use secure communication protocols	4.1.1
Identity and authentication	10	Identity and authentication	Audit Linux machines that allow remote connections from accounts without passwords	3.1.0
Identity and authentication	10	Identity and authentication	Audit Linux machines that do not have the passwd file permissions set to 0644	3.1.0
Identity and authentication	10	Identity and authentication	Audit Linux machines that have accounts without passwords	3.1.0
Identity and authentication	10	Identity and authentication	Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	2.1.0
Identity and authentication	10	Identity and authentication	Audit Windows machines that do not have the maximum password age set to specified number of days	2.1.0
Identity and authentication	10	Identity and authentication	Audit Windows machines that do not have the minimum password age set to specified number of days	2.1.0
Identity and authentication	10	Identity and authentication	Audit Windows machines that do not have the password complexity setting enabled	2.0.0
Identity and authentication	10	Identity and authentication	Audit Windows machines that do not restrict the minimum password length to specified number of characters	2.1.0

Next steps

Learn more about Azure Policy Regulatory Compliance.
See the built-ins on the Azure Policy GitHub repo.

Share via